Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
Adobe Commerce: Stored XSS in Form Fields
CVE-2026-21361
Summary
Adobe Commerce versions 2.4.9-alpha3 and earlier have a security flaw that allows a skilled attacker to inject malicious code into a user's browser if they visit a specially crafted page. This could lead to the attacker taking control of the user's session, potentially allowing them to access sensitive information or make unauthorized changes. To protect your site, update to the latest version of Adobe Commerce as soon as possible.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| adobe | commerce | <= 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.8 | – |
| adobe | commerce | 2.4.8 | – |
| adobe | commerce | 2.4.8 | – |
| adobe | commerce | 2.4.8 | – |
| adobe | commerce | 2.4.8 | – |
| adobe | commerce | 2.4.8 | – |
| adobe | commerce | 2.4.9 | – |
| adobe | commerce | 2.4.9 | – |
| adobe | commerce | 2.4.9 | – |
| adobe | commerce_b2b | <= 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.4.2 | – |
| adobe | commerce_b2b | 1.4.2 | – |
| adobe | commerce_b2b | 1.4.2 | – |
| adobe | commerce_b2b | 1.4.2 | – |
| adobe | commerce_b2b | 1.4.2 | – |
| adobe | commerce_b2b | 1.4.2 | – |
| adobe | commerce_b2b | 1.4.2 | – |
| adobe | commerce_b2b | 1.4.2 | – |
| adobe | commerce_b2b | 1.4.2 | – |
| adobe | commerce_b2b | 1.5.2 | – |
| adobe | commerce_b2b | 1.5.2 | – |
| adobe | commerce_b2b | 1.5.2 | – |
| adobe | commerce_b2b | 1.5.2 | – |
| adobe | commerce_b2b | 1.5.3 | – |
| adobe | commerce_b2b | 1.5.3 | – |
| adobe | commerce_b2b | 1.5.3 | – |
| adobe | magento | <= 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.8 | – |
| adobe | magento | 2.4.8 | – |
| adobe | magento | 2.4.8 | – |
| adobe | magento | 2.4.8 | – |
| adobe | magento | 2.4.8 | – |
| adobe | magento | 2.4.8 | – |
| adobe | magento | 2.4.9 | – |
Original title
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vvulnerability that could be abused by a hi...
Original description
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vvulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.
nvd CVSS3.1
8.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026