CVE-2022-35698

CRITICAL

Adobe Commerce <2.4.4-p1, <2.4.5 - XSS

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-35698. PoCs published by EmicoEcommerce.

AI-analyzed exploit summary This repository provides security patches for CVE-2022-35698 and CVE-2022-35689 in Magento 2, addressing template directive parsing and WebAPI validation issues. It includes technical details on the fixes applied to the `Magento/Framework/Filter` namespace and `magento/module-customer`.

Description

Adobe Commerce versions 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by a Stored Cross-site Scripting vulnerability. Exploitation of this issue does not require user interaction and could result in a post-authentication arbitrary code execution.

Exploits (1)

nomisec WRITEUP 37 stars

by EmicoEcommerce · poc

https://github.com/EmicoEcommerce/Magento-APSB22-48-Security-Patches

View Code ZIP pw:eip

This repository provides security patches for CVE-2022-35698 and CVE-2022-35689 in Magento 2, addressing template directive parsing and WebAPI validation issues. It includes technical details on the fixes applied to the `Magento/Framework/Filter` namespace and `magento/module-customer`.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Magento 2.4.0-2.4.5

No auth needed

Prerequisites: Access to Magento installation · Ability to apply patches via composer

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Patch, Vendor Advisory

https://helpx.adobe.com/security/products/magento/apsb22-48.html

Scores

CVSS v3 10.0

EPSS 0.0219

EPSS Percentile 84.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-79

Status published

Products (8)

adobe/commerce 2.4.4 (2 CPE variants)

adobe/commerce 2.4.5

adobe/commerce < 2.4.4

adobe/magento_open_source 2.4.4 (2 CPE variants)

adobe/magento_open_source 2.4.5

adobe/magento_open_source < 2.4.4

magento/community-edition Packagist

magento/project-community-edition 0Packagist

Published Oct 14, 2022

Tracked Since Feb 18, 2026