GHSA-5m55-g8pv-x8ww · Severity: medium · Ecosystem: composer — Magento stored Cross-Site Scripting (XSS) vulnerability
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker with admin privileges to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Conclusion & alert: CVE-2022-34258 is rated Moderate Risk (58.9/100): CVSS Medium severity, with high exploitation likelihood (EPSS 68.31%, 99th percentile). Core evidence: EPSS ranks this CVE among the most likely to be exploited in the near term. EPSS rose +52.12% over the last day, indicating growing attacker interest. Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 16.18% | 68.31% | +52.12% |
| 2 | 2025-11-21 | 14.15% | 16.18% | +2.04% |
| 3 | 2025-11-18 | — | 14.15% | — |
Full EPSS history (22 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 4.8 | 3.1 | MEDIUM |
|
1.7 | 2.7 | [email protected] |
| 4.8 | 3.1 | MEDIUM |
|
1.7 | 2.7 | [email protected] |
GHSA-5m55-g8pv-x8ww · Severity: medium · Ecosystem: composer — Magento stored Cross-Site Scripting (XSS) vulnerability
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| adobe | commerce | >= 2.3.0, < 2.3.7 | cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:* |
| adobe | commerce | >= 2.4.0, < 2.4.3 | cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:* |
| adobe | commerce | 2.3.7 | cpe:2.3:a:adobe:commerce:2.3.7:-:*:*:*:*:*:* |
| adobe | commerce | 2.3.7 | cpe:2.3:a:adobe:commerce:2.3.7:p1:*:*:*:*:*:* |
| adobe | commerce | 2.3.7 | cpe:2.3:a:adobe:commerce:2.3.7:p2:*:*:*:*:*:* |
| adobe | commerce | 2.3.7 | cpe:2.3:a:adobe:commerce:2.3.7:p3:*:*:*:*:*:* |
| adobe | commerce | 2.4.3 | cpe:2.3:a:adobe:commerce:2.4.3:-:*:*:*:*:*:* |
| adobe | commerce | 2.4.3 | cpe:2.3:a:adobe:commerce:2.4.3:p1:*:*:*:*:*:* |
| adobe | commerce | 2.4.3 | cpe:2.3:a:adobe:commerce:2.4.3:p2:*:*:*:*:*:* |
| adobe | commerce | 2.4.4 | cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:* |
| magento | magento | >= 2.3.0, < 2.3.7 | cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:* |
| magento | magento | >= 2.4.0, < 2.4.3 | cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:* |
| magento | magento | 2.3.7 | cpe:2.3:a:magento:magento:2.3.7:-:*:*:commerce:*:*:* |
| magento | magento | 2.3.7 | cpe:2.3:a:magento:magento:2.3.7:p1:*:*:commerce:*:*:* |
| magento | magento | 2.3.7 | cpe:2.3:a:magento:magento:2.3.7:p2:*:*:commerce:*:*:* |
| magento | magento | 2.3.7 | cpe:2.3:a:magento:magento:2.3.7:p3:*:*:commerce:*:*:* |
| magento | magento | 2.4.3 | cpe:2.3:a:magento:magento:2.4.3:-:*:*:commerce:*:*:* |
| magento | magento | 2.4.3 | cpe:2.3:a:magento:magento:2.4.3:p1:*:*:commerce:*:*:* |
| magento | magento | 2.4.3 | cpe:2.3:a:magento:magento:2.4.3:p2:*:*:commerce:*:*:* |
| magento | magento | 2.4.4 | cpe:2.3:a:magento:magento:2.4.4:-:*:*:commerce:*:*:* |
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/magento/apsb22-38.html | Vendor Advisory |