Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.
Conclusion & alert: CVE-2026-21311 is rated Moderate Risk (41.3/100): CVSS High severity, with low exploitation likelihood (EPSS 0.10%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-03-11 | — | 0.10% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.0 | 3.1 | HIGH |
|
1.6 | 5.8 | [email protected] |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| adobe | commerce | < 2.4.4 | cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:* |
| adobe | commerce | 2.4.4 | cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:* |
| adobe | commerce | 2.4.4 | cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:* |
| adobe | commerce | 2.4.4 | cpe:2.3:a:adobe:commerce:2.4.4:p10:*:*:*:*:*:* |
| adobe | commerce | 2.4.4 | cpe:2.3:a:adobe:commerce:2.4.4:p11:*:*:*:*:*:* |
| adobe | commerce | 2.4.4 | cpe:2.3:a:adobe:commerce:2.4.4:p12:*:*:*:*:*:* |
| adobe | commerce | 2.4.4 | cpe:2.3:a:adobe:commerce:2.4.4:p13:*:*:*:*:*:* |
| adobe | commerce | 2.4.4 | cpe:2.3:a:adobe:commerce:2.4.4:p14:*:*:*:*:*:* |
| adobe | commerce | 2.4.4 | cpe:2.3:a:adobe:commerce:2.4.4:p15:*:*:*:*:*:* |
| adobe | commerce | 2.4.4 | cpe:2.3:a:adobe:commerce:2.4.4:p16:*:*:*:*:*:* |
| adobe | commerce | 2.4.4 | cpe:2.3:a:adobe:commerce:2.4.4:p2:*:*:*:*:*:* |
| adobe | commerce | 2.4.4 | cpe:2.3:a:adobe:commerce:2.4.4:p3:*:*:*:*:*:* |
| adobe | commerce | 2.4.4 | cpe:2.3:a:adobe:commerce:2.4.4:p4:*:*:*:*:*:* |
| adobe | commerce | 2.4.4 | cpe:2.3:a:adobe:commerce:2.4.4:p5:*:*:*:*:*:* |
| adobe | commerce | 2.4.4 | cpe:2.3:a:adobe:commerce:2.4.4:p6:*:*:*:*:*:* |
| adobe | commerce | 2.4.4 | cpe:2.3:a:adobe:commerce:2.4.4:p7:*:*:*:*:*:* |
| adobe | commerce | 2.4.4 | cpe:2.3:a:adobe:commerce:2.4.4:p8:*:*:*:*:*:* |
| adobe | commerce | 2.4.4 | cpe:2.3:a:adobe:commerce:2.4.4:p9:*:*:*:*:*:* |
| adobe | commerce | 2.4.5 | cpe:2.3:a:adobe:commerce:2.4.5:-:*:*:*:*:*:* |
| adobe | commerce | 2.4.5 | cpe:2.3:a:adobe:commerce:2.4.5:p1:*:*:*:*:*:* |
| adobe | commerce | 2.4.5 | cpe:2.3:a:adobe:commerce:2.4.5:p10:*:*:*:*:*:* |
| adobe | commerce | 2.4.5 | cpe:2.3:a:adobe:commerce:2.4.5:p11:*:*:*:*:*:* |
| adobe | commerce | 2.4.5 | cpe:2.3:a:adobe:commerce:2.4.5:p12:*:*:*:*:*:* |
| adobe | commerce | 2.4.5 | cpe:2.3:a:adobe:commerce:2.4.5:p13:*:*:*:*:*:* |
| adobe | commerce | 2.4.5 | cpe:2.3:a:adobe:commerce:2.4.5:p14:*:*:*:*:*:* |
| adobe | commerce | 2.4.5 | cpe:2.3:a:adobe:commerce:2.4.5:p15:*:*:*:*:*:* |
| adobe | commerce | 2.4.5 | cpe:2.3:a:adobe:commerce:2.4.5:p2:*:*:*:*:*:* |
| adobe | commerce | 2.4.5 | cpe:2.3:a:adobe:commerce:2.4.5:p3:*:*:*:*:*:* |
| adobe | commerce | 2.4.5 | cpe:2.3:a:adobe:commerce:2.4.5:p4:*:*:*:*:*:* |
| adobe | commerce | 2.4.5 | cpe:2.3:a:adobe:commerce:2.4.5:p5:*:*:*:*:*:* |
| adobe | commerce | 2.4.5 | cpe:2.3:a:adobe:commerce:2.4.5:p6:*:*:*:*:*:* |
| adobe | commerce | 2.4.5 | cpe:2.3:a:adobe:commerce:2.4.5:p7:*:*:*:*:*:* |
| adobe | commerce | 2.4.5 | cpe:2.3:a:adobe:commerce:2.4.5:p8:*:*:*:*:*:* |
| adobe | commerce | 2.4.5 | cpe:2.3:a:adobe:commerce:2.4.5:p9:*:*:*:*:*:* |
| adobe | commerce | 2.4.6 | cpe:2.3:a:adobe:commerce:2.4.6:-:*:*:*:*:*:* |
| adobe | commerce | 2.4.6 | cpe:2.3:a:adobe:commerce:2.4.6:p1:*:*:*:*:*:* |
| adobe | commerce | 2.4.6 | cpe:2.3:a:adobe:commerce:2.4.6:p10:*:*:*:*:*:* |
| adobe | commerce | 2.4.6 | cpe:2.3:a:adobe:commerce:2.4.6:p11:*:*:*:*:*:* |
| adobe | commerce | 2.4.6 | cpe:2.3:a:adobe:commerce:2.4.6:p12:*:*:*:*:*:* |
| adobe | commerce | 2.4.6 | cpe:2.3:a:adobe:commerce:2.4.6:p13:*:*:*:*:*:* |
| adobe | commerce | 2.4.6 | cpe:2.3:a:adobe:commerce:2.4.6:p2:*:*:*:*:*:* |
| adobe | commerce | 2.4.6 | cpe:2.3:a:adobe:commerce:2.4.6:p3:*:*:*:*:*:* |
| adobe | commerce | 2.4.6 | cpe:2.3:a:adobe:commerce:2.4.6:p4:*:*:*:*:*:* |
| adobe | commerce | 2.4.6 | cpe:2.3:a:adobe:commerce:2.4.6:p5:*:*:*:*:*:* |
| adobe | commerce | 2.4.6 | cpe:2.3:a:adobe:commerce:2.4.6:p6:*:*:*:*:*:* |
| adobe | commerce | 2.4.6 | cpe:2.3:a:adobe:commerce:2.4.6:p7:*:*:*:*:*:* |
| adobe | commerce | 2.4.6 | cpe:2.3:a:adobe:commerce:2.4.6:p8:*:*:*:*:*:* |
| adobe | commerce | 2.4.6 | cpe:2.3:a:adobe:commerce:2.4.6:p9:*:*:*:*:*:* |
| adobe | commerce | 2.4.7 | cpe:2.3:a:adobe:commerce:2.4.7:-:*:*:*:*:*:* |
| adobe | commerce | 2.4.7 | cpe:2.3:a:adobe:commerce:2.4.7:b1:*:*:*:*:*:* |
| adobe | commerce | 2.4.7 | cpe:2.3:a:adobe:commerce:2.4.7:b2:*:*:*:*:*:* |
| adobe | commerce | 2.4.7 | cpe:2.3:a:adobe:commerce:2.4.7:beta3:*:*:*:*:*:* |
| adobe | commerce | 2.4.7 | cpe:2.3:a:adobe:commerce:2.4.7:p1:*:*:*:*:*:* |
| adobe | commerce | 2.4.7 | cpe:2.3:a:adobe:commerce:2.4.7:p2:*:*:*:*:*:* |
| adobe | commerce | 2.4.7 | cpe:2.3:a:adobe:commerce:2.4.7:p3:*:*:*:*:*:* |
| adobe | commerce | 2.4.7 | cpe:2.3:a:adobe:commerce:2.4.7:p4:*:*:*:*:*:* |
| adobe | commerce | 2.4.7 | cpe:2.3:a:adobe:commerce:2.4.7:p5:*:*:*:*:*:* |
| adobe | commerce | 2.4.7 | cpe:2.3:a:adobe:commerce:2.4.7:p6:*:*:*:*:*:* |
| adobe | commerce | 2.4.7 | cpe:2.3:a:adobe:commerce:2.4.7:p7:*:*:*:*:*:* |
| adobe | commerce | 2.4.7 | cpe:2.3:a:adobe:commerce:2.4.7:p8:*:*:*:*:*:* |
| adobe | commerce | 2.4.8 | cpe:2.3:a:adobe:commerce:2.4.8:-:*:*:*:*:*:* |
| adobe | commerce | 2.4.8 | cpe:2.3:a:adobe:commerce:2.4.8:beta1:*:*:*:*:*:* |
| adobe | commerce | 2.4.8 | cpe:2.3:a:adobe:commerce:2.4.8:beta2:*:*:*:*:*:* |
| adobe | commerce | 2.4.8 | cpe:2.3:a:adobe:commerce:2.4.8:p1:*:*:*:*:*:* |
| adobe | commerce | 2.4.8 | cpe:2.3:a:adobe:commerce:2.4.8:p2:*:*:*:*:*:* |
| adobe | commerce | 2.4.8 | cpe:2.3:a:adobe:commerce:2.4.8:p3:*:*:*:*:*:* |
| adobe | commerce | 2.4.9 | cpe:2.3:a:adobe:commerce:2.4.9:alpha1:*:*:*:*:*:* |
| adobe | commerce | 2.4.9 | cpe:2.3:a:adobe:commerce:2.4.9:alpha2:*:*:*:*:*:* |
| adobe | commerce | 2.4.9 | cpe:2.3:a:adobe:commerce:2.4.9:alpha3:*:*:*:*:*:* |
| adobe | commerce_b2b | < 1.3.3 | cpe:2.3:a:adobe:commerce_b2b:*:*:*:*:*:*:*:* |
| adobe | commerce_b2b | 1.3.3 | cpe:2.3:a:adobe:commerce_b2b:1.3.3:-:*:*:*:*:*:* |
| adobe | commerce_b2b | 1.3.3 | cpe:2.3:a:adobe:commerce_b2b:1.3.3:p1:*:*:*:*:*:* |
| adobe | commerce_b2b | 1.3.3 | cpe:2.3:a:adobe:commerce_b2b:1.3.3:p10:*:*:*:*:*:* |
| adobe | commerce_b2b | 1.3.3 | cpe:2.3:a:adobe:commerce_b2b:1.3.3:p11:*:*:*:*:*:* |
| adobe | commerce_b2b | 1.3.3 | cpe:2.3:a:adobe:commerce_b2b:1.3.3:p12:*:*:*:*:*:* |
| adobe | commerce_b2b | 1.3.3 | cpe:2.3:a:adobe:commerce_b2b:1.3.3:p13:*:*:*:*:*:* |
| adobe | commerce_b2b | 1.3.3 | cpe:2.3:a:adobe:commerce_b2b:1.3.3:p14:*:*:*:*:*:* |
| adobe | commerce_b2b | 1.3.3 | cpe:2.3:a:adobe:commerce_b2b:1.3.3:p15:*:*:*:*:*:* |
| adobe | commerce_b2b | 1.3.3 | cpe:2.3:a:adobe:commerce_b2b:1.3.3:p16:*:*:*:*:*:* |
| adobe | commerce_b2b | 1.3.3 | cpe:2.3:a:adobe:commerce_b2b:1.3.3:p2:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/magento/apsb26-05.html | Vendor Advisory |