CVE-2025-49557: Magento Cross-site Scripting vulnerability

August 12, 2025 (updated August 15, 2025)

Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be exploited by a low-privileged attacker to inject malicious scripts into vulnerable form fields. These scripts may be used to escalate privileges within the application or compromise sensitive user data. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. Scope is changed.

References

github.com/advisories/GHSA-8mq8-c243-2335
helpx.adobe.com/security/products/magento/apsb25-71.html
nvd.nist.gov/vuln/detail/CVE-2025-49557

Code Behaviors & Features

Detect and mitigate CVE-2025-49557 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →