Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.8
Adobe Commerce: Unauthorized Access to Files Through Misused Path Names
CVE-2026-21360
Summary
Adobe Commerce versions 2.4.9-alpha3 and earlier have a security flaw that allows an attacker with high levels of access to bypass security restrictions and access files outside of what they're supposed to see. This could happen without the need for user interaction. Adobe Commerce users should update to a patched version to prevent unauthorized access.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| adobe | commerce | <= 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.4 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.5 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.6 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.7 | – |
| adobe | commerce | 2.4.8 | – |
| adobe | commerce | 2.4.8 | – |
| adobe | commerce | 2.4.8 | – |
| adobe | commerce | 2.4.8 | – |
| adobe | commerce | 2.4.8 | – |
| adobe | commerce | 2.4.8 | – |
| adobe | commerce | 2.4.9 | – |
| adobe | commerce | 2.4.9 | – |
| adobe | commerce | 2.4.9 | – |
| adobe | commerce_b2b | <= 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.3 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.4 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.3.5 | – |
| adobe | commerce_b2b | 1.4.2 | – |
| adobe | commerce_b2b | 1.4.2 | – |
| adobe | commerce_b2b | 1.4.2 | – |
| adobe | commerce_b2b | 1.4.2 | – |
| adobe | commerce_b2b | 1.4.2 | – |
| adobe | commerce_b2b | 1.4.2 | – |
| adobe | commerce_b2b | 1.4.2 | – |
| adobe | commerce_b2b | 1.4.2 | – |
| adobe | commerce_b2b | 1.4.2 | – |
| adobe | commerce_b2b | 1.5.2 | – |
| adobe | commerce_b2b | 1.5.2 | – |
| adobe | commerce_b2b | 1.5.2 | – |
| adobe | commerce_b2b | 1.5.2 | – |
| adobe | commerce_b2b | 1.5.3 | – |
| adobe | commerce_b2b | 1.5.3 | – |
| adobe | commerce_b2b | 1.5.3 | – |
| adobe | magento | <= 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.5 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.6 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.7 | – |
| adobe | magento | 2.4.8 | – |
| adobe | magento | 2.4.8 | – |
| adobe | magento | 2.4.8 | – |
| adobe | magento | 2.4.8 | – |
| adobe | magento | 2.4.8 | – |
| adobe | magento | 2.4.8 | – |
| adobe | magento | 2.4.9 | – |
Original title
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal...
Original description
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to access unauthorized files or directories outside the intended restricted path. Exploitation of this issue does not require user interaction.
nvd CVSS3.1
6.8
Vulnerability type
CWE-22
Path Traversal
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026