CVE-2026-47994
Adobe · Adobe Commerce
A stored Cross-Site Scripting (XSS) vulnerability in Adobe Commerce allows a low-privileged attacker to inject malicious scripts into form fields.
Executive summary
Adobe Commerce and related products are vulnerable to stored Cross-Site Scripting, which could allow attackers to execute malicious scripts in a user's browser session.
Vulnerability
This is a stored Cross-Site Scripting (XSS) vulnerability (CWE-79). By injecting malicious scripts into vulnerable form fields, a low-privileged attacker can cause the script to execute when an unsuspecting user, such as an administrator, views the compromised data.
Business impact
Stored XSS can lead to session hijacking, unauthorized actions performed on behalf of an administrator, and potential data theft. If an administrator views the injected content, the attacker could gain administrative control over the e-commerce platform, leading to severe reputational damage and financial loss. The CVSS score of 8.7 highlights the significant risk to site integrity and session security.
Remediation
Immediate Action: Update Adobe Commerce, Magento Open Source, and the Webhooks Plugin to the July 2026 security release versions provided by Adobe.
Proactive Monitoring: Monitor web application logs for suspicious input patterns in form fields, specifically looking for script tags or encoded payloads.
Compensating Controls: Deploy a Web Application Firewall (WAF) with strict XSS filtering rules to inspect incoming traffic and block common script injection attempts in form inputs.
Exploitation status
Public Exploit Available: No (exploit_available: false)
Analyst recommendation
Adobe Commerce administrators should move quickly to apply the July 2026 security patches. Addressing this XSS vulnerability is essential to protect administrative sessions and maintain the integrity of the e-commerce storefront.