Bulletin ID
Last updated on
Mar 10, 2026
Security update available for Adobe Commerce | APSB26-05
|
|
Date Published |
Priority |
|---|---|---|
|
APSB26-05 |
March 10, 2026 |
2 |
Summary
Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical, important, and moderate vulnerabilities. Successful exploitation could lead to security feature bypass, application denial-of-service, privilege escalation, arbitrary code execution, and arbitrary file system read.
Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates.
Affected Versions
| Product | Version | Priority Rating | Platform |
|---|---|---|---|
| Adobe Commerce |
2.4.9-alpha3 and earlier 2.4.8-p3 and earlier 2.4.7-p8 and earlier 2.4.6-p13 and earlier 2.4.5-p15 and earlier 2.4.4-p16 and earlier |
2 | All |
| Adobe Commerce B2B |
1.5.3-alpha3 and earlier 1.5.2-p3 and earlier 1.4.2-p8 and earlier 1.3.5-p13 and earlier 1.3.4-p15 and earlier 1.3.3-p16 and earlier |
2 | All |
| Magento Open Source | 2.4.9-alpha3 2.4.8-p3 and earlier 2.4.7-p8 and earlier 2.4.6-p13 and earlier 2.4.5-p15 and earlier |
2 | All |
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
| Product | Updated Version | Platform | Priority Rating | Installation Instructions |
|---|---|---|---|---|
| Adobe Commerce | 2.4.9‑beta1 for 2.4.9‑alpha3 2.4.8‑p4 for 2.4.8‑p3 and earlier 2.4.7‑p9 for 2.4.7‑p8 and earlier 2.4.6‑p14 for 2.4.6‑p13 and earlier 2.4.5‑p16 for 2.4.5‑p15 and earlier 2.4.4‑p17 for 2.4.4‑p16 and earlier |
All | 2 | 2.4.x release notes |
| Adobe Commerce B2B | 1.5.3‑beta1 for 1.5.3‑alpha3 1.5.2‑p4 for 1.5.2‑p3 and earlier 1.4.2‑p9 for 1.4.2‑p8 and earlier 1.3.5‑p14 for 1.3.5‑p13 and earlier 1.3.4‑p16 for 1.3.4‑p15 and earlier 1.3.3‑p17 for 1.3.3‑p16 and earlier |
All | 2 | |
| Magento Open Source | 2.4.9‑beta1 for 2.4.9‑alpha3 2.4.8‑p4 for 2.4.8‑p3 and earlier 2.4.7‑p9 for 2.4.7‑p8 and earlier 2.4.6‑p14 for 2.4.6‑p13 and earlier 2.4.5‑p16 for 2.4.5‑p15 and earlier |
All | 2 | 2.4.9-beta1 release notes |
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
Vulnerability Details
| Vulnerability Category | Vulnerability Impact | Severity | Authentication required to exploit? | Exploit requires admin privileges? |
CVSS base score |
CVSS vector |
CVE number(s) | Notes |
|---|---|---|---|---|---|---|---|---|
| Cross-site Scripting (Stored XSS) (CWE-79) | Privilege escalation | Critical | Yes | Yes | 8.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N | CVE-2026-21361 | |
| Cross-site Scripting (Stored XSS) (CWE-79) | Privilege escalation | Critical | Yes | Yes | 8.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N | CVE-2026-21284 | |
| Incorrect Authorization (CWE-863) | Security feature bypass | Critical | Yes | No | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | CVE-2026-21289 | |
| Cross-site Scripting (Stored XSS) (CWE-79) | Privilege escalation | Critical | Yes | Yes | 8.7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N | CVE-2026-21290 | |
| Cross-site Scripting (Stored XSS) (CWE-79) | Privilege escalation | Critical | Yes | No | 8.0 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N | CVE-2026-21311 | |
| Incorrect Authorization (CWE-863) | Privilege Escalation | Critical | Yes | No | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | CVE-2026-21309 | |
| Incorrect Authorization (CWE-863) | Security feature bypass | Important | Yes | Yes | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | CVE-2026-21285 | |
| Incorrect Authorization (CWE-863) | Security feature bypass | Important | Yes | Yes | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | CVE-2026-21286 | |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | Yes | Yes | 4.8 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | CVE-2026-21291 | |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | Yes | Yes | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2026-21292 | |
| Server-Side Request Forgery (SSRF) (CWE-918) | Arbitrary file system read | Important | Yes | Yes | 5.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N | CVE-2026-21293 | |
| Server-Side Request Forgery (SSRF) (CWE-918) | Security feature bypass | Important | Yes | Yes | 5.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N | CVE-2026-21294 | |
| Incorrect Authorization (CWE-863) | Security feature bypass | Important | Yes | No | 4.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L | CVE-2026-21359 | |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) | Security feature bypass | Important | Yes | Yes | 6.8 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N |
CVE-2026-21360 | |
| Improper Input Validation (CWE-20) | Application denial-of-service | Important | Yes | Yes | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | CVE-2026-21282 | |
| Improper Input Validation (CWE-20) | Security feature bypass | Important | Yes | Yes | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | CVE-2026-21310 | |
| URL Redirection to Untrusted Site ('Open Redirect') (CWE-601) | Security feature bypass | Moderate | Yes | No | 3.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N | CVE-2026-21295 | |
| Incorrect Authorization (CWE-863) | Security feature bypass | Moderate | Yes | Yes | 3.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N | CVE-2026-21296 | |
| Incorrect Authorization (CWE-863) | Security feature bypass | Moderate | Yes | Yes | 3.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N | CVE-2026-21297 |
Note
Authentication required to exploit: The vulnerability is (or is not) exploitable without credentials.
Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.
Acknowledgements
Adobe would like to thank the following researchers for reporting these issues and working with Adobe to help protect our customers:
- Akash Hamal (akashhamal0x01) -- CVE-2026-21285, CVE-2026-21286, CVE-2026-21296, CVE-2026-21297, CVE-2026-21310
- jk-brah -- CVE-2026-21284
- Simon M -- CVE-2026-21289
- raywolfmaster -- CVE-2026-21290, CVE-2026-21291, CVE-2026-21292
- truff -- CVE-2026-21293, CVE-2026-21294, CVE-2026-21361
- schemonah -- CVE-2026-21295
- archyxsec -- CVE-2026-21311
- thlassche -- CVE-2026-21282
- 0x0.eth (0x0doteth) -- CVE-2026-21309
- fqdn -- CVE-2026-21359
- icare -- CVE-2026-21360
NOTE: Adobe has a public bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please check out https://hackerone.com/adobe.
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.
