CVE-2026-47994
Undergoing Analysis Undergoing Analysis - In Progress

BaseFortify

Vulnerability report for CVE-2026-47994, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: Adobe Systems Incorporated

Description

Adobe Commerce is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-15
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
adobe commerce *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a stored Cross-Site Scripting (XSS) issue in Adobe Commerce. A low-privileged attacker can exploit it by injecting malicious scripts into vulnerable form fields within the application.

When a victim browses a page containing the compromised field, the malicious JavaScript executes in their browser. This could allow the attacker to gain elevated access or control over the victim's account or session.

The vulnerability has a CVSS v3.1 base score of 8.7, indicating a high severity level. The vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N means it is exploitable over a network with low attack complexity, requires low privileges, and needs user interaction (victim browsing the page). It has a high impact on confidentiality and integrity but no impact on availability.

Impact Analysis

If you are a user of Adobe Commerce, this vulnerability could impact you in several ways:

  • An attacker could hijack your session, gaining unauthorized access to your account.
  • Malicious scripts could steal sensitive information, such as login credentials or personal data, from your browser.
  • The attacker might perform actions on your behalf, such as making unauthorized purchases or modifying account settings.
  • If you are an administrator, the attacker could escalate privileges, potentially taking control of the entire Adobe Commerce platform.

For organizations using Adobe Commerce, this vulnerability could lead to data breaches, reputational damage, and financial losses due to fraudulent activities.

Compliance Impact

This vulnerability could have significant implications for compliance with various standards and regulations:

  • GDPR (General Data Protection Regulation): If the vulnerability leads to unauthorized access or theft of personal data of EU citizens, it could result in a data breach. Organizations may face fines up to 4% of global annual revenue or €20 million, whichever is higher, for non-compliance.
  • HIPAA (Health Insurance Portability and Accountability Act): If Adobe Commerce is used to handle protected health information (PHI) and the vulnerability results in unauthorized access to this data, it could constitute a HIPAA violation. This may lead to fines ranging from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year.
  • PCI DSS (Payment Card Industry Data Security Standard): If the vulnerability is exploited to steal payment card information, it could result in non-compliance with PCI DSS requirements. This may lead to fines, increased transaction fees, or even the loss of the ability to process credit card payments.

Organizations must ensure they apply the necessary patches or mitigations to address this vulnerability to maintain compliance with these regulations and avoid potential penalties.

Detection Guidance

Detecting this stored Cross-Site Scripting (XSS) vulnerability in Adobe Commerce requires checking for vulnerable form fields that allow script injection. Since the vulnerability involves malicious scripts being stored and executed when a victim accesses a compromised page, detection methods focus on identifying suspicious input fields or stored payloads.

  • Review Adobe Commerce logs for unusual or unexpected JavaScript payloads in form submissions. Look for entries containing script tags, event handlers (e.g., onerror, onclick), or other suspicious patterns like eval() or document.write.
  • Manually inspect form fields in Adobe Commerce that accept user input (e.g., comment fields, user profiles, or custom forms) for stored scripts. This can be done by submitting test payloads like <script>alert(1)</script> and checking if they are rendered in the page source when revisited.
  • Use a web vulnerability scanner (e.g., OWASP ZAP, Burp Suite) to automate the detection of stored XSS vulnerabilities. Configure the scanner to test form fields for script injection and verify if the payloads are stored and executed.
  • Check the database for stored malicious scripts. For example, query tables that store user-generated content (e.g., comments, profiles) for entries containing JavaScript code. Example SQL query (adjust table/column names as needed): SELECT * FROM user_content WHERE content LIKE '%<script>%';

Since this is a stored XSS vulnerability, network-based detection (e.g., IDS/IPS) may not be effective unless the malicious payload is actively being transmitted. Focus on application-level and database-level checks.

Mitigation Strategies

To mitigate this stored Cross-Site Scripting (XSS) vulnerability in Adobe Commerce, follow these immediate steps to reduce the risk of exploitation.

  • Apply the latest security patches or updates provided by Adobe for Adobe Commerce. Check Adobe's security bulletins or release notes for fixes related to CVE-2026-47994.
  • Implement input validation and output encoding for all user-supplied data. Ensure that form fields sanitize input by stripping or escaping HTML/JavaScript tags before storing or rendering them.
  • Enable Content Security Policy (CSP) headers to restrict the execution of inline scripts and unauthorized external resources. Example CSP header: Content-Security-Policy: script-src 'self'; object-src 'none';
  • Restrict access to administrative or sensitive areas of Adobe Commerce to trusted users only. Use role-based access control (RBAC) to limit privileges for low-privileged accounts.
  • Monitor and audit user-generated content for suspicious activity. Set up alerts for unusual script injections or unexpected changes to stored data.
  • If a patch is not immediately available, consider temporarily disabling or restricting access to vulnerable form fields until a fix can be applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47994. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart