Commerce

Adobe Commerce versions 2.4.9-beta1 and earlier are susceptible to a stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-34686) that allows low-privileged attackers to inject malicious scripts into form fields, leading to potential account compromise.

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are vulnerable to a path traversal (CVE-2026-34653) allowing authenticated administrators to read and write arbitrary files.

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, and 2.4.4-p17 and earlier are vulnerable to a denial-of-service due to a dependency on a vulnerable third-party component, which an attacker can exploit to crash the application without user interaction.

Adobe Commerce versions 2.4.9-beta1 and earlier are vulnerable to uncontrolled resource consumption, potentially leading to application denial-of-service due to an attacker's ability to exhaust system resources without user interaction.

Adobe Commerce versions 2.4.9-beta1 and earlier are susceptible to an uncontrolled resource consumption vulnerability (CVE-2026-34649), allowing an unauthenticated attacker to trigger a denial-of-service condition by exhausting system resources.

Adobe Commerce versions 2.4.9-beta1 and earlier are vulnerable to Server-Side Request Forgery (SSRF) via a maliciously crafted URL, potentially leading to security feature bypass and unauthorized read access.

Adobe Commerce versions 2.4.9-beta1 and earlier are vulnerable to an Incorrect Authorization issue (CVE-2026-34646) that allows attackers to bypass security features and gain unauthorized write access without user interaction.