← Back
2026-05-12 19:50CVE-2026-34686adobe
PUBLISHED5.2CWE-79

Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.

Problem type

Affected products

Adobe

Adobe Commerce

<= 2.4.4-p17 - AFFECTED

References

helpx.adobe.com

https://helpx.adobe.com/security/products/magento/apsb26-49.html

vendor-advisory

GitHub Security Advisories

GHSA-9wrj-m77q-jw6c

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and...

https://github.com/advisories/GHSA-9wrj-m77q-jw6c

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-34686

helpx.adobe.com

https://helpx.adobe.com/security/products/magento/apsb26-49.html

github.com

https://github.com/advisories/GHSA-9wrj-m77q-jw6c

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-34686
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-34686",
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "dateUpdated": "2026-05-12T19:50:32.687Z",
    "dateReserved": "2026-03-30T17:30:36.496Z",
    "datePublished": "2026-05-12T19:50:32.687Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe",
        "dateUpdated": "2026-05-12T19:50:32.687Z"
      },
      "datePublic": "2026-05-12T17:00:00.000Z",
      "title": "Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)",
      "descriptions": [
        {
          "lang": "en",
          "value": "Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed."
        }
      ],
      "affected": [
        {
          "vendor": "Adobe",
          "product": "Adobe Commerce",
          "defaultStatus": "affected",
          "versions": [
            {
              "version": "0",
              "status": "affected",
              "versionType": "semver",
              "lessThanOrEqual": "2.4.4-p17"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Cross-site Scripting (Stored XSS) (CWE-79)",
              "cweId": "CWE-79",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://helpx.adobe.com/security/products/magento/apsb26-49.html",
          "tags": [
            "vendor-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ],
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "LOW",
            "userInteraction": "REQUIRED",
            "scope": "CHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "exploitCodeMaturity": "NOT_DEFINED",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "temporalScore": 8.7,
            "temporalSeverity": "HIGH",
            "confidentialityRequirement": "NOT_DEFINED",
            "integrityRequirement": "NOT_DEFINED",
            "availabilityRequirement": "NOT_DEFINED",
            "modifiedAttackVector": "NETWORK",
            "modifiedAttackComplexity": "LOW",
            "modifiedPrivilegesRequired": "LOW",
            "modifiedUserInteraction": "REQUIRED",
            "modifiedScope": "CHANGED",
            "modifiedConfidentialityImpact": "HIGH",
            "modifiedIntegrityImpact": "HIGH",
            "modifiedAvailabilityImpact": "NONE",
            "environmentalScore": 8.7,
            "environmentalSeverity": "HIGH"
          }
        }
      ]
    }
  }
}