Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Stored XSS in Adobe Commerce and Magento Open Source administrative form fields

IdentifiersCVE-2025-54264CWE-79· Improper Neutralization of Input…

CVE-2025-54264 is a stored cross-site scripting vulnerability affecting Adobe Commerce, Adobe Commerce B2B, and Magento Open Source. A high-privileged authenticated attacker can inject malicious JavaScript into certain vulnerable form fields in the administrative interface. The payload is stored by the application, typically in the database, and later executes in a victim’s browser when that user visits a page rendering the tainted field. The available context attributes the flaw to insufficient input validation and output encoding on specific form fields. Affected Adobe Commerce versions include 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier; corresponding Magento Open Source and Adobe Commerce B2B branches are also affected as described by Adobe.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation enables execution of attacker-controlled JavaScript in another user’s browser within the application context. The primary impact described is session takeover, including theft or abuse of session cookies or tokens, with resulting high confidentiality and integrity impact. Because scope is changed, compromise of one user’s browser session can be leveraged to perform actions as that victim, potentially enabling privilege escalation, unauthorized administrative actions, and further data compromise. Availability impact is not emphasized in the provided material.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict and closely monitor administrative access, especially high-privileged accounts able to edit or submit content into the affected form fields. Limit privileges to trusted users only, monitor for suspicious content or unexpected admin-side changes, and use compensating controls such as stricter input validation/output encoding where feasible and a restrictive Content Security Policy to reduce script execution risk. Enhanced logging and alerting around administrative content changes can help detect abuse.

Remediation

Patch, then assume compromise.

Apply Adobe’s security updates to fixed releases. Based on the provided advisory context, upgrade Adobe Commerce 2.4.9-alpha2 to 2.4.9-alpha3, 2.4.8-p2 and earlier to 2.4.8-p3, 2.4.7-p7 and earlier to 2.4.7-p8, 2.4.6-p12 and earlier to 2.4.6-p13, 2.4.5-p14 and earlier to 2.4.5-p15, and 2.4.4-p15 and earlier to 2.4.4-p16. Also update corresponding Adobe Commerce B2B and Magento Open Source versions to the vendor-specified fixed releases. Apply vendor-provided patches immediately.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
AdobeCommerceapplication
AdobeCommerce B2bapplication
AdobeMagentoapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
thecyberexpress com vulnerabilitiesNews
Oct 15, 2025
Adobe Issues Urgent Security Updates for Connect, Commerce, and Creative Cloud Apps

A stored XSS vulnerability in Adobe Commerce and Magento Open Source that could allow attackers to execute arbitrary code or scripts.

Read more
adobe-security-bulletinsNews
Oct 14, 2025
Adobe Security Bulletin

A stored XSS vulnerability in Adobe Commerce / Magento Open Source that can be leveraged for privilege escalation (requires authentication and admin privileges per bulletin fields).

Read more
zeropath blogNews
Oct 14, 2025
Adobe Commerce CVE-2025-54264: Brief Summary of a Critical Stored XSS Vulnerability - ZeroPath Blog | ZeroPath

A stored cross-site scripting vulnerability in Adobe Commerce and Magento Open Source that allows a high-privileged attacker to inject malicious JavaScript into administrative form fields, potentially leading to session hijacking and privilege escalation.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-54264
NVD
nvd.nist.gov/vuln/detail/CVE-2025-54264
MITRE CWE · CWE-79
Improper Neutralization of Input During Web…
Vendor Advisory
helpx.adobe.com/security/products/magento/apsb25-94.html