Security update available for Adobe Commerce | APSB26-49
摘要
Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical , important and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, arbitrary file system write, application denial-of-service, and security feature bypass.
正文
Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical , important and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, arbitrary file system write, application denial-of-service, and security feature bypass. Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates. Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version. Solutions: - Adobe Commerce | 2.4.9 2.4.8-p5 2.4.7-p10 2.4.6-p15 2.4.5-p17 2.4.4-p18 | All (Priority 2; 2.4.x Release Notes) - Adobe Commerce B2B | 1.5.3 1.5.2-p5 1.4.2-p10 1.3.4-p17 1.3.3-p18 | All (Priority 2; 2.4.x Release Notes) - Magento Open Source | 2.4.9 2.4.8-p5 2.4.7-p10 2.4.6-p15 | All (Priority 2; 2.4.x Release Notes) Authentication required to exploit: The vulnerability is (or is not) exploitable without credentials. Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges. Vulnerabilities: - Incorrect Authorization ( CWE-863 ) | Security feature bypass | Critical | CVSS 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N - Incorrect Authorization ( CWE-863 ) | Security feature bypass | Critical | CVSS 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N - Server-Side Request Forgery (SSRF) ( CWE-918 ) | Security feature bypass | Critical | CVSS 7.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N - Uncontrolled Resource Consumption ( CWE-400 ) | Application denial-of-service | Critical | CVSS 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - Uncontrolled Resource Consumption ( CWE-400 ) | Application denial-of-service | Critical | CVSS 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - Uncontrolled Resource Consumption ( CWE-400 ) | Application denial-of-service | Critical | CVSS 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - Uncontrolled Resource Consumption ( CWE-400 ) | Application denial-of-service | Critical | CVSS 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - Dependency on Vulnerable Third-Party Component ( CWE-1395 ) | Application denial-of-service | Critical | CVSS 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - Cross-site Scripting (Stored XSS) ( CWE-79 ) | Arbitrary code execution | Critical | CVSS 8.7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') ( CWE-22 ) | Arbitrary file system write | Critical | CVSS 8.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N - Dependency on Vulnerable Third-Party Component ( CWE-1395 ) | Application denial-of-service | Important | CVSS 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L - Cross-site Scripting (Stored XSS) ( CWE-79 ) | Arbitrary code execution | Important | CVSS 4.8 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N - Improper Authorization ( CWE-285 ) | Security feature bypass | important | CVSS 4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N - Cross-site Scripting (Stored XSS) ( CWE-79 ) | Arbitrary code execution | Important | CVSS 4.8 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N - Improper Input Validation ( CWE-20 ) | Arbitrary code execution | Moderate | CVSS 3.4 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N Acknowledgment: Adobe would like to thank the following researchers for reporting these issues and working with Adobe to help protect our customers: Acknowledgment: thlassche -- CVE-2026-34645, CVE-2026-34646, CVE-2026-34656 Acknowledgment: 0x0doteth -- CVE-2026-34647 Acknowledgment: bau1u -- CVE-2026-34648, CVE-2026-34649, CVE-2026-34650, CVE-2026-34651 Acknowledgment: wash0ut -- CVE-2026-34652 Acknowledgment: rez0 -- CVE-2026-34653 Acknowledgment: akouba -- CVE-2026-34654 Acknowledgment: srcoder -- CVE-2026-34655 Acknowledgment: schemonah -- CVE-2026-34658 Acknowledgment: truff -- CVE-2026-34685 Acknowledgment: Ray Wolf (raywolfmaster) -- CVE-2026-34686 Acknowledgment: NOTE: Adobe has a public bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please check out https://hackerone.com/adobe . Acknowledgment: For more information, visit https://helpx.adobe.com/security.html , or email [email protected].
标签
- contains:cve
- has:last-updated
- priority:2
- vendor:adobe
扩展字段
{
"acknowledgments": [
"Adobe would like to thank the following researchers for reporting these issues and working with Adobe to help protect our customers:",
"thlassche -- CVE-2026-34645, CVE-2026-34646, CVE-2026-34656",
"0x0doteth -- CVE-2026-34647",
"bau1u -- CVE-2026-34648, CVE-2026-34649, CVE-2026-34650, CVE-2026-34651",
"wash0ut -- CVE-2026-34652",
"rez0 -- CVE-2026-34653",
"akouba -- CVE-2026-34654",
"srcoder -- CVE-2026-34655",
"schemonah -- CVE-2026-34658",
"truff -- CVE-2026-34685",
"Ray Wolf (raywolfmaster) -- CVE-2026-34686",
"NOTE: Adobe has a public bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please check out https://hackerone.com/adobe .",
"For more information, visit https://helpx.adobe.com/security.html , or email [email protected]."
],
"bulletin_id": "APSB26-49",
"detail_url": "https://helpx.adobe.com/security/products/magento/apsb26-49.html",
"last_updated": "05/14/2026",
"originally_posted": "05/12/2026",
"priority": "2",
"solution_paragraphs": [
"Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version."
],
"solutions": [
{
"availability": "2.4.x Release Notes",
"availability_url": "https://experienceleague.adobe.com/en/docs/commerce-operations/release/notes/adobe-commerce/overview",
"platform": "All",
"priority": "2",
"product": "Adobe Commerce",
"version": "2.4.9 2.4.8-p5 2.4.7-p10 2.4.6-p15 2.4.5-p17 2.4.4-p18"
},
{
"availability": "2.4.x Release Notes",
"availability_url": "https://experienceleague.adobe.com/en/docs/commerce-operations/release/notes/adobe-commerce/overview",
"platform": "All",
"priority": "2",
"product": "Adobe Commerce B2B",
"version": "1.5.3 1.5.2-p5 1.4.2-p10 1.3.4-p17 1.3.3-p18"
},
{
"availability": "2.4.x Release Notes",
"availability_url": "https://experienceleague.adobe.com/en/docs/commerce-operations/release/notes/adobe-commerce/overview",
"platform": "All",
"priority": "2",
"product": "Magento Open Source",
"version": "2.4.9 2.4.8-p5 2.4.7-p10 2.4.6-p15"
}
],
"summary_paragraphs": [
"Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical , important and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, arbitrary file system write, application denial-of-service, and security feature bypass.",
"Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates."
],
"vulnerabilities": [
{
"Authentication required to exploit?": "No",
"CVE number(s)": "CVE-2026-34645",
"CVSS base score": "7.5",
"CVSS vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"Exploit requires admin privileges?": "Yes",
"Notes": null,
"Severity": "Critical",
"Vulnerability Category": "Incorrect Authorization ( CWE-863 )",
"Vulnerability Impact": "Security feature bypass"
},
{
"Authentication required to exploit?": "No",
"CVE number(s)": "CVE-2026-34646",
"CVSS base score": "7.5",
"CVSS vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"Exploit requires admin privileges?": "Yes",
"Notes": null,
"Severity": "Critical",
"Vulnerability Category": "Incorrect Authorization ( CWE-863 )",
"Vulnerability Impact": "Security feature bypass"
},
{
"Authentication required to exploit?": "No",
"CVE number(s)": "CVE-2026-34647",
"CVSS base score": "7.4",
"CVSS vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"Exploit requires admin privileges?": "Yes",
"Notes": null,
"Severity": "Critical",
"Vulnerability Category": "Server-Side Request Forgery (SSRF) ( CWE-918 )",
"Vulnerability Impact": "Security feature bypass"
},
{
"Authentication required to exploit?": "No",
"CVE number(s)": "CVE-2026-34648",
"CVSS base score": "7.5",
"CVSS vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"Exploit requires admin privileges?": "No",
"Notes": null,
"Severity": "Critical",
"Vulnerability Category": "Uncontrolled Resource Consumption ( CWE-400 )",
"Vulnerability Impact": "Application denial-of-service"
},
{
"Authentication required to exploit?": "No",
"CVE number(s)": "CVE-2026-34649",
"CVSS base score": "7.5",
"CVSS vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"Exploit requires admin privileges?": "No",
"Notes": null,
"Severity": "Critical",
"Vulnerability Category": "Uncontrolled Resource Consumption ( CWE-400 )",
"Vulnerability Impact": "Application denial-of-service"
},
{
"Authentication required to exploit?": "No",
"CVE number(s)": "CVE-2026-34650",
"CVSS base score": "7.5",
"CVSS vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"Exploit requires admin privileges?": "No",
"Notes": null,
"Severity": "Critical",
"Vulnerability Category": "Uncontrolled Resource Consumption ( CWE-400 )",
"Vulnerability Impact": "Application denial-of-service"
},
{
"Authentication required to exploit?": "No",
"CVE number(s)": "CVE-2026-34651",
"CVSS base score": "7.5",
"CVSS vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"Exploit requires admin privileges?": "No",
"Notes": null,
"Severity": "Critical",
"Vulnerability Category": "Uncontrolled Resource Consumption ( CWE-400 )",
"Vulnerability Impact": "Application denial-of-service"
},
{
"Authentication required to exploit?": "No",
"CVE number(s)": "CVE-2026-34652",
"CVSS base score": "7.5",
"CVSS vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"Exploit requires admin privileges?": "No",
"Notes": null,
"Severity": "Critical",
"Vulnerability Category": "Dependency on Vulnerable Third-Party Component ( CWE-1395 )",
"Vulnerability Impact": "Application denial-of-service"
},
{
"Authentication required to exploit?": "Yes",
"CVE number(s)": "CVE-2026-34686",
"CVSS base score": "8.7",
"CVSS vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"Exploit requires admin privileges?": "Yes",
"Notes": null,
"Severity": "Critical",
"Vulnerability Category": "Cross-site Scripting (Stored XSS) ( CWE-79 )",
"Vulnerability Impact": "Arbitrary code execution"
},
{
"Authentication required to exploit?": "Yes",
"CVE number(s)": "CVE-2026-34653",
"CVSS base score": "8.7",
"CVSS vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"Exploit requires admin privileges?": "Yes",
"Notes": null,
"Severity": "Critical",
"Vulnerability Category": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') ( CWE-22 )",
"Vulnerability Impact": "Arbitrary file system write"
},
{
"Authentication required to exploit?": "Yes",
"CVE number(s)": "CVE-2026-34654",
"CVSS base score": "5.3",
"CVSS vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"Exploit requires admin privileges?": "No",
"Notes": null,
"Severity": "Important",
"Vulnerability Category": "Dependency on Vulnerable Third-Party Component ( CWE-1395 )",
"Vulnerability Impact": "Application denial-of-service"
},
{
"Authentication required to exploit?": "Yes",
"CVE number(s)": "CVE-2026-34655",
"CVSS base score": "4.8",
"CVSS vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"Exploit requires admin privileges?": "Yes",
"Notes": null,
"Severity": "Important",
"Vulnerability Category": "Cross-site Scripting (Stored XSS) ( CWE-79 )",
"Vulnerability Impact": "Arbitrary code execution"
},
{
"Authentication required to exploit?": "No",
"CVE number(s)": "CVE-2026-34656",
"CVSS base score": "4.3",
"CVSS vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"Exploit requires admin privileges?": "No",
"Notes": null,
"Severity": "important",
"Vulnerability Category": "Improper Authorization ( CWE-285 )",
"Vulnerability Impact": "Security feature bypass"
},
{
"Authentication required to exploit?": "Yes",
"CVE number(s)": "CVE-2026-34658",
"CVSS base score": "4.8",
"CVSS vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"Exploit requires admin privileges?": "Yes",
"Notes": null,
"Severity": "Important",
"Vulnerability Category": "Cross-site Scripting (Stored XSS) ( CWE-79 )",
"Vulnerability Impact": "Arbitrary code execution"
},
{
"Authentication required to exploit?": "Yes",
"CVE number(s)": "CVE-2026-34685",
"CVSS base score": "3.4",
"CVSS vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N",
"Exploit requires admin privileges?": "Yes",
"Notes": null,
"Severity": "Moderate",
"Vulnerability Category": "Improper Input Validation ( CWE-20 )",
"Vulnerability Impact": "Arbitrary code execution"
}
],
"vulnerability_paragraphs": [
"Authentication required to exploit: The vulnerability is (or is not) exploitable without credentials.",
"Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges."
]
}