{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/commerce-2.4.9-beta1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-34652"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Commerce","Commerce (2.4.9-beta1)","Commerce (2.4.8-p4)","Commerce (2.4.7-p9)","Commerce (2.4.6-p14)","Commerce (2.4.5-p16)","Commerce (2.4.4-p17)"],"_cs_severities":["medium"],"_cs_tags":["cve","dos","adobe commerce","third-party component"],"_cs_type":"advisory","_cs_vendors":["Adobe"],"content_html":"\u003cp\u003eCVE-2026-34652 affects Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17, and earlier. The vulnerability stems from a dependency on a vulnerable third-party component, which can be exploited to trigger a denial-of-service (DoS) condition. An attacker can leverage this flaw to crash the application, thereby rendering it unavailable to legitimate users. Exploitation does not require any user interaction, making it easier to exploit. This vulnerability poses a risk to e-commerce platforms relying on Adobe Commerce, potentially disrupting business operations and impacting revenue. Defenders need to ensure they are running supported versions, and should look for unusual patterns indicating resource exhaustion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an Adobe Commerce instance running a vulnerable version (2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting the vulnerable third-party component.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the Adobe Commerce server via HTTP/HTTPS.\u003c/li\u003e\n\u003cli\u003eThe vulnerable third-party component processes the malicious request, leading to a crash.\u003c/li\u003e\n\u003cli\u003eThe Adobe Commerce application becomes unresponsive due to the crashed component.\u003c/li\u003e\n\u003cli\u003eLegitimate users are unable to access the application, resulting in a denial-of-service.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats the process to sustain the denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34652 leads to a denial-of-service condition, rendering the affected Adobe Commerce application unavailable. This can result in significant disruption to e-commerce operations, potentially causing financial losses due to lost sales and reputational damage. The impact is especially severe for businesses heavily reliant on their online storefront. The CVSS v3.1 base score is 7.5, indicating a high severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a version of Adobe Commerce that addresses CVE-2026-34652, as detailed in the Adobe security advisory (\u003ca href=\"https://helpx.adobe.com/security/products/magento/apsb26-49.html)\"\u003ehttps://helpx.adobe.com/security/products/magento/apsb26-49.html)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on incoming requests to mitigate potential DoS attacks targeting the vulnerable component.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for unusual activity or error messages indicative of a crashing third-party component.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-34652 Exploitation Attempt — High Volume Requests\u0026rdquo; to detect potential exploitation attempts via high request rates.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T20:20:53Z","date_published":"2026-05-12T20:20:53Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-34652/","summary":"Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, and 2.4.4-p17 and earlier are vulnerable to a denial-of-service due to a dependency on a vulnerable third-party component, which an attacker can exploit to crash the application without user interaction.","title":"CVE-2026-34652: Adobe Commerce Dependency on Vulnerable Third-Party Component Leading to DoS","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-34652/"}],"language":"en","title":"CraftedSignal Threat Feed — Commerce (2.4.9-Beta1)","version":"https://jsonfeed.org/version/1.1"}