CVE-2026-34647

HIGH

Adobe Commerce | Server-Side Request Forgery (SSRF) (CWE-918)

Title source: cna

Description

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://helpx.adobe.com/security/products/magento/apsb26-49.html

Scores

CVSS v3 7.4

EPSS 0.0011

EPSS Percentile 28.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (4)

Adobe/Adobe Commerce < 2.4.4-p17

adobe/commerce 2.4.4 (18 CPE variants)

adobe/commerce 2.4.5 (17 CPE variants)

adobe/commerce 2.4.6 (14 CPE variants)

Published May 12, 2026

Tracked Since May 13, 2026