CVE-2026-21294

MEDIUM

Adobe Commerce <=2.4.9-alpha3 - SSRF

Title source: llm

Description

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. A high-privileged attacker could exploit this vulnerability to manipulate server-side requests and bypass security controls. Exploitation of this issue does not require user interaction.

References (1)

Scores

CVSS v3 5.5
EPSS 0.0006
EPSS Percentile 17.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Details

CWE
CWE-918
Status published
Products (4)
adobe/commerce 2.4.4 (17 CPE variants)
adobe/commerce 2.4.5 (16 CPE variants)
adobe/commerce 2.4.6 (14 CPE variants)
adobe/commerce 2.4.7 (3 CPE variants)
Published Mar 11, 2026
Tracked Since Mar 11, 2026