magento/community-edition Security Advisories for 2.4.4-p13 (23)
-
[HIGH] Magento provides incorrect authorization through a security feature bypass
PKSA-sx8r-h4sj-cx12 CVE-2025-54263 GHSA-69x9-xp2j-w8g8
Affected version: =2.4.6|=2.4.7|=2.4.8|<2.4.6-p13|>=2.4.7-beta1,<2.4.7-p8|>=2.4.8-beta1,<2.4.8-p3|>=2.4.9-alpha1,<2.4.9-alpha3
Reported by:
GitHub -
[HIGH] Magento vulnerable to stored Cross-Site Scripting (XSS)
PKSA-kfkq-dx9k-8hdv CVE-2025-54264 GHSA-2768-5wmv-cfff
Affected version: =2.4.6|=2.4.7|=2.4.8|<2.4.6-p13|>=2.4.7-beta1,<2.4.7-p8|>=2.4.8-beta1,<2.4.8-p3|>=2.4.9-alpha1,<2.4.9-alpha3
Reported by:
GitHub -
[MEDIUM] Magento allows incorrect authorization
PKSA-xbxj-3c74-rztg CVE-2025-54265 GHSA-r355-75hw-r8jf
Affected version: =2.4.6|=2.4.7|=2.4.8|<2.4.6-p13|>=2.4.7-beta1,<2.4.7-p8|>=2.4.8-beta1,<2.4.8-p3|>=2.4.9-alpha1,<2.4.9-alpha3
Reported by:
GitHub -
[MEDIUM] Magento vulnerable to stored Cross-Site Scripting (XSS)
PKSA-k1pj-8rhw-k527 CVE-2025-54266 GHSA-pcrx-r49h-x2w5
Affected version: =2.4.6|=2.4.7|=2.4.8|<2.4.6-p13|>=2.4.7-beta1,<2.4.7-p8|>=2.4.8-beta1,<2.4.8-p3|>=2.4.9-alpha1,<2.4.9-alpha3
Reported by:
GitHub -
[MEDIUM] Magento vulnerable to privilege escalation due to incorrect authorization
PKSA-cdwr-82gv-fq4r CVE-2025-54267 GHSA-qvwr-p3hj-j6jf
Affected version: =2.4.6|=2.4.7|=2.4.8|<2.4.6-p13|>=2.4.7-beta1,<2.4.7-p8|>=2.4.8-beta1,<2.4.8-p3|>=2.4.9-alpha1,<2.4.9-alpha3
Reported by:
GitHub -
[CRITICAL] Magento Community Edition Improper Input Validation vulnerability
PKSA-zy5h-f76g-zq5h CVE-2025-54236 GHSA-wh92-6q6g-px7j
Affected version: =2.4.9|>=2.4.8-beta1,<=2.4.8-p2|>=2.4.7-beta1,<=2.4.7-p7|=2.4.8|=2.4.7|>=2.4.9-alpha1,<=2.4.9-alpha2|=2.4.5|>=2.4.6-p1,<=2.4.6-p12|=2.4.6|<=2.4.5-p14
Reported by:
GitHub -
[HIGH] Magento vulnerable to denial of service
PKSA-pn21-84x4-fh3j CVE-2025-49554 GHSA-xgfm-992v-h2hr
Affected version: =2.4.8|=2.4.7|=2.4.6|=2.4.5|<2.4.5-p14|>=2.4.6-p1,<2.4.6-p12|>=2.4.7-beta1,<2.4.7-p7|>=2.4.8-beta1,<2.4.8-p2|>=2.4.9-alpha1,<2.4.9-alpha2
Reported by:
GitHub -
[HIGH] Magento Cross-Site Request Forgery (CSRF) vulnerability
PKSA-23gm-rmhm-83mc CVE-2025-49555 GHSA-5777-jj7p-mpqw
Affected version: =2.4.8|=2.4.7|=2.4.6|=2.4.5|<2.4.5-p14|>=2.4.6-p1,<2.4.6-p12|>=2.4.7-beta1,<2.4.7-p7|>=2.4.8-beta1,<2.4.8-p2|>=2.4.9-alpha1,<2.4.9-alpha2
Reported by:
GitHub -
[HIGH] Magento has incorrect authorization issue that leads to arbitrary file system read
PKSA-br3d-5r49-ycpt CVE-2025-49556 GHSA-7hrj-3c9x-xv5h
Affected version: =2.4.8|=2.4.7|=2.4.6|=2.4.5|<2.4.5-p14|>=2.4.6-p1,<2.4.6-p12|>=2.4.7-beta1,<2.4.7-p7|>=2.4.8-beta1,<2.4.8-p2|>=2.4.9-alpha1,<2.4.9-alpha2
Reported by:
GitHub -
[HIGH] Magento Cross-site Scripting vulnerability
PKSA-j53w-rgct-w5r6 CVE-2025-49557 GHSA-8mq8-c243-2335
Affected version: =2.4.8|>=2.4.7-p1,<2.4.7-p7|>=2.4.6-p1,<2.4.6-p12|>=2.4.5-p1,<2.4.5-p14|<2.4.4-p15
Reported by:
GitHub -
[MEDIUM] Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
PKSA-jghm-1dxh-r2mf CVE-2025-49558 GHSA-wcmw-8xpp-rwfj
Affected version: =2.4.8|=2.4.7|=2.4.6|=2.4.5|<2.4.5-p14|>=2.4.6-p1,<2.4.6-p12|>=2.4.7-beta1,<2.4.7-p7|>=2.4.8-beta1,<2.4.8-p2|>=2.4.9-alpha1,<2.4.9-alpha2
Reported by:
GitHub -
[MEDIUM] Magento vulnerable to path traversal
PKSA-j661-47kj-8y19 CVE-2025-49559 GHSA-h4f4-gv6h-x824
Affected version: =2.4.8|=2.4.7|=2.4.6|=2.4.5|<2.4.5-p14|>=2.4.6-p1,<2.4.6-p12|>=2.4.7-beta1,<2.4.7-p7|>=2.4.8-beta1,<2.4.8-p2|>=2.4.9-alpha1,<2.4.9-alpha2
Reported by:
GitHub -
[LOW] Magento Authenticated Security feature bypass
PKSA-z33d-78qh-jd88 CVE-2025-49549 GHSA-85jx-x9r4-45m2
Affected version: =2.4.8|=2.4.7|=2.4.6|=2.4.5|<2.4.5-p13|>=2.4.6-p1,<2.4.6-p11|>=2.4.7-beta1,<2.4.7-p6
Reported by:
GitHub -
[MEDIUM] Magento Security feature bypass
PKSA-w1hm-vgyt-d5ty CVE-2025-49550 GHSA-8hcx-xvww-6c6h
Affected version: =2.4.8|=2.4.7|=2.4.6|=2.4.5|<2.4.5-p13|>=2.4.6-p1,<2.4.6-p11|>=2.4.7-beta1,<2.4.7-p6
Reported by:
GitHub -
[HIGH] Magento Improper Authorization leading to security feature bypass
PKSA-25jg-bht9-cn5m CVE-2025-43585 GHSA-r487-9vv5-75gg
Affected version: =2.4.8|=2.4.7|=2.4.6|=2.4.5|<2.4.5-p13|>=2.4.6-p1,<2.4.6-p11|>=2.4.7-beta1,<2.4.7-p6
Reported by:
GitHub -
[CRITICAL] Magneto contains stored XSS vulnerability
PKSA-rb7h-1s2b-4dwg CVE-2025-47110 GHSA-j934-vjh5-vf9r
Affected version: =2.4.6|>=2.4.6-p1,<2.4.6-p11|=2.4.5|=2.4.8|=2.4.7|<2.4.5-p13|>=2.4.7-beta1,<2.4.7-p6|>=2.4.8-beta1,<2.4.8-p1
Reported by:
GitHub -
[MEDIUM] Magento Improper Access Control leads to security feature bypass
PKSA-twxs-5jt6-zf4j CVE-2025-27206 GHSA-g2pj-xmxq-3r9q
Affected version: =2.4.8|=2.4.7|=2.4.6|=2.4.5|<2.4.5-p13|>=2.4.6-p1,<2.4.6-p11|>=2.4.7-beta1,<2.4.7-p6
Reported by:
GitHub -
[HIGH] Magento Improper Access Control vulnerability
PKSA-858j-1s59-ycmj CVE-2022-34255 GHSA-x95x-f4g9-mm85
Affected version: >=2.4.0,<2.4.3-p3|>=2.4.4,<2.4.5|>=2.3.0,<2.3.7-p4
Reported by:
GitHub -
[HIGH] Magento Improper Authorization vulnerability
PKSA-4kq2-8xg5-xc5f CVE-2022-34256 GHSA-r7mm-grf3-5fjv
Affected version: >=2.4.0,<2.4.3-p3|>=2.4.4,<2.4.5|>=2.3.0,<2.3.7-p4
Reported by:
GitHub -
[MEDIUM] Magento stored Cross-Site Scripting (XSS) vulnerability
PKSA-8rxk-pq5k-p21j CVE-2022-34257 GHSA-rg7p-wmgj-f374
Affected version: >=2.4.0,<2.4.3-p3|>=2.4.4,<2.4.5|>=2.3.0,<2.3.7-p4
Reported by:
GitHub -
[MEDIUM] Magento stored Cross-Site Scripting (XSS) vulnerability
PKSA-48rk-jcyb-xpsd CVE-2022-34258 GHSA-5m55-g8pv-x8ww
Affected version: >=2.4.0,<2.4.3-p3|>=2.4.4,<2.4.5|>=2.3.0,<2.3.7-p4
Reported by:
GitHub -
[MEDIUM] Magento Improper Access Control vulnerability
PKSA-1w77-ttnz-wb1k CVE-2022-34259 GHSA-9wjf-94h3-r4rh
Affected version: >=2.4.0,<2.4.3-p3|>=2.4.4,<2.4.5|>=2.3.0,<2.3.7-p4
Reported by:
GitHub -
[CRITICAL] Magento XML Injection vulnerability in the Widgets Module
PKSA-ky72-2cr3-p8cw CVE-2022-34253 GHSA-cj7w-pm77-hvg6
Affected version: >=2.4.0,<2.4.3-p3|>=2.4.4,<2.4.5|<2.3.7-p4
Reported by:
GitHub