4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54266

GHSA ID

GHSA-pcrx-r49h-x2w5

EPSS Score

0.22229%

CWE

CWE-79

Published

10/14/2025

Updated

10/21/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54266

CVE-2025-54266: Magento vulnerable to stored Cross-Site Scripting (XSS)

Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. Scope is changed.

(GitHub Advisory)

4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54266

GHSA ID

GHSA-pcrx-r49h-x2w5

EPSS Score

0.22229%

CWE

CWE-79

Published

10/14/2025

Updated

10/21/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
magento/project-community-edition	composer	<= 2.0.2
magento/community-edition	composer	>= 2.4.9-alpha1, < 2.4.9-alpha3	2.4.9-alpha3
magento/community-edition	composer	>= 2.4.8-beta1, < 2.4.8-p3	2.4.8-p3
magento/community-edition	composer	>= 2.4.7-beta1, < 2.4.7-p8	2.4.7-p8
magento/community-edition	composer	< 2.4.6-p13	2.4.6-p13
magento/community-edition	composer	= 2.4.8
magento/community-edition	composer	= 2.4.7
magento/community-edition	composer	= 2.4.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

I have analyzed the provided vulnerability information but was unable to find the specific commits that introduced the patch for the stored XSS vulnerability (CVE-2025-54266). My attempts to compare the vulnerable and patched versions using their release tags did not reveal the individual security fix commits. Without the patch diff, I cannot confidently identify the vulnerable functions and provide the required evidence.

Therefore, I am returning an empty result.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M***nto v*rsions *.*.*-*lp***, *.*.*-p*, *.*.*-p*, *.*.*-p**, *.*.*-p**, *.*.*-p** *n* **rli*r *r* *****t** *y * stor** *ross-Sit* S*riptin* (XSS) vuln*r**ility t**t *oul* ** **us** *y * *i**-privil**** *tt**k*r to inj**t m*li*ious s*ripts into vuln*

Reasoning

I **v* *n*lyz** t** provi*** vuln*r**ility in*orm*tion *ut w*s un**l* to *in* t** sp**i*i* *ommits t**t intro*u*** t** p*t** *or t** stor** XSS vuln*r**ility (*V*-****-*****). My *tt*mpts to *omp*r* t** vuln*r**l* *n* p*t**** v*rsions usin* t**ir r*l

4.8

Basic Information

Concerned about an active attack path?

CVE-2025-54266: Magento vulnerable to stored Cross-Site Scripting (XSS)

4.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI