8.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-49557

GHSA ID

GHSA-8mq8-c243-2335

EPSS Score

0.10968%

CWE

CWE-79

Published

8/12/2025

Updated

8/15/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-49557

CVE-2025-49557: Magento Cross-site Scripting vulnerability

Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be exploited by a low-privileged attacker to inject malicious scripts into vulnerable form fields. These scripts may be used to escalate privileges within the application or compromise sensitive user data. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. Scope is changed.

(GitHub Advisory)

8.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-49557

GHSA ID

GHSA-8mq8-c243-2335

EPSS Score

0.10968%

CWE

CWE-79

Published

8/12/2025

Updated

8/15/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
magento/community-edition	composer	< 2.4.4-p15	2.4.4-p15
magento/community-edition	composer	>= 2.4.5-p1, < 2.4.5-p14	2.4.5-p14
magento/community-edition	composer	>= 2.4.6-p1, < 2.4.6-p12	2.4.6-p12
magento/community-edition	composer	>= 2.4.7-p1, < 2.4.7-p7	2.4.7-p7
magento/community-edition	composer	= 2.4.8
magento/project-community-edition	composer	<= 2.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis:

In progress

WAF Protection Rules

WAF Rule

**o** *omm*r** v*rsions *.*.*-*lp***, *.*.*-p*, *.*.*-p*, *.*.*-p**, *.*.*-p**, *.*.*-p** *n* **rli*r *r* *****t** *y * stor** *ross-Sit* S*riptin* (XSS) vuln*r**ility t**t *oul* ** *xploit** *y * low-privil**** *tt**k*r to inj**t m*li*ious s*ripts i

Reasoning

No *n*lysis *v*il**l*

8.7

Basic Information

Concerned about an active attack path?

CVE-2025-49557: Magento Cross-site Scripting vulnerability

8.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI