← Back
2026-05-12 19:50CVE-2026-34653adobe
PUBLISHED5.2CWE-22

Adobe Commerce | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in arbitrary file system read and write. An authenticated attacker with administrative privileges could exploit this vulnerability to read or write files outside the restricted directory. Exploitation of this issue does not require user interaction. Scope is changed.

Problem type

Affected products

Adobe

Adobe Commerce

<= 2.4.4-p17 - AFFECTED

References

helpx.adobe.com

https://helpx.adobe.com/security/products/magento/apsb26-49.html

vendor-advisory

GitHub Security Advisories

GHSA-jr4r-4m6q-5fpc

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and...

https://github.com/advisories/GHSA-jr4r-4m6q-5fpc

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in arbitrary file system read and write. An authenticated attacker with administrative privileges could exploit this vulnerability to read or write files outside the restricted directory. Exploitation of this issue does not require user interaction. Scope is changed.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-34653

helpx.adobe.com

https://helpx.adobe.com/security/products/magento/apsb26-49.html

github.com

https://github.com/advisories/GHSA-jr4r-4m6q-5fpc

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-34653
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-34653",
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "dateUpdated": "2026-05-12T19:50:29.984Z",
    "dateReserved": "2026-03-30T17:30:36.493Z",
    "datePublished": "2026-05-12T19:50:29.984Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe",
        "dateUpdated": "2026-05-12T19:50:29.984Z"
      },
      "datePublic": "2026-05-12T17:00:00.000Z",
      "title": "Adobe Commerce | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)",
      "descriptions": [
        {
          "lang": "en",
          "value": "Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in arbitrary file system read and write. An authenticated attacker with administrative privileges could exploit this vulnerability to read or write files outside the restricted directory. Exploitation of this issue does not require user interaction. Scope is changed."
        }
      ],
      "affected": [
        {
          "vendor": "Adobe",
          "product": "Adobe Commerce",
          "defaultStatus": "affected",
          "versions": [
            {
              "version": "0",
              "status": "affected",
              "versionType": "semver",
              "lessThanOrEqual": "2.4.4-p17"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)",
              "cweId": "CWE-22",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://helpx.adobe.com/security/products/magento/apsb26-49.html",
          "tags": [
            "vendor-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ],
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "HIGH",
            "userInteraction": "NONE",
            "scope": "CHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "exploitCodeMaturity": "NOT_DEFINED",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "temporalScore": 8.7,
            "temporalSeverity": "HIGH",
            "confidentialityRequirement": "NOT_DEFINED",
            "integrityRequirement": "NOT_DEFINED",
            "availabilityRequirement": "NOT_DEFINED",
            "modifiedAttackVector": "NETWORK",
            "modifiedAttackComplexity": "LOW",
            "modifiedPrivilegesRequired": "HIGH",
            "modifiedUserInteraction": "NONE",
            "modifiedScope": "CHANGED",
            "modifiedConfidentialityImpact": "HIGH",
            "modifiedIntegrityImpact": "HIGH",
            "modifiedAvailabilityImpact": "NONE",
            "environmentalScore": 8.7,
            "environmentalSeverity": "HIGH"
          }
        }
      ]
    }
  }
}