CVE-2026-21284

Name of the Vulnerable Software and Affected Versions Adobe Commerce versions 2.4.4-p16 and earlier Adobe Commerce versions 2.4.5-p15 Adobe Commerce versions 2.4.6-p13 Adobe Commerce versions 2.4.7-p8 Adobe Commerce versions 2.4.8-p3 Adobe Commerce version 2.4.9-alpha3

Description The software is subject to a stored Cross-Site Scripting (XSS) issue. A high-privileged attacker could inject malicious scripts into vulnerable form fields. Execution of malicious JavaScript may occur in a victim’s browser when they access the page containing the vulnerable field. A successful attack could lead to session takeover, impacting confidentiality and integrity. Exploitation requires user interaction, specifically a victim browsing to the page with the vulnerable field.

Recommendations Update Adobe Commerce versions prior to 2.4.4-p16. Update Adobe Commerce versions prior to 2.4.5-p15. Update Adobe Commerce versions prior to 2.4.6-p13. Update Adobe Commerce versions prior to 2.4.7-p8. Update Adobe Commerce versions prior to 2.4.8-p3. Update Adobe Commerce version 2.4.9-alpha3.