Headline
GHSA-wh92-6q6g-px7j: Magento Community Edition Improper Input Validation vulnerability
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact to high. Exploitation of this issue does not require user interaction.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-54236
Magento Community Edition Improper Input Validation vulnerability
Critical severity GitHub Reviewed Published Sep 9, 2025 to the GitHub Advisory Database • Updated Sep 10, 2025
Package
composer magento/community-edition (Composer)
Affected versions
<= 2.4.5-p14
= 2.4.6
>= 2.4.6-p1, <= 2.4.6-p12
= 2.4.5
>= 2.4.9-alpha1, <= 2.4.9-alpha2
= 2.4.7
= 2.4.8
>= 2.4.7-beta1, <= 2.4.7-p7
>= 2.4.8-beta1, <= 2.4.8-p2
= 2.4.9
composer magento/project-community-edition (Composer)
Published to the GitHub Advisory Database
Sep 9, 2025
Last updated
Sep 10, 2025
Related news
A Magento bug called SessionReaper is doing the rounds, and researchers warn it’s letting attackers hijack real shopping sessions.
E-commerce security company Sansec has warned that threat actors have begun to exploit a recently disclosed security vulnerability in Adobe Commerce and Magento Open Source platforms, with more than 250 attack attempts recorded against multiple stores over the past 24 hours. The vulnerability in question is CVE-2025-54236 (CVSS score: 9.1), a critical improper input validation flaw that could be
In a world where threats are persistent, the modern CISO’s real job isn't just to secure technology—it's to preserve institutional trust and ensure business continuity. This week, we saw a clear pattern: adversaries are targeting the complex relationships that hold businesses together, from supply chains to strategic partnerships. With new regulations and the rise of AI-driven attacks, the
Adobe has warned of a critical security flaw in its Commerce and Magento Open Source platforms that, if successfully exploited, could allow attackers to take control of customer accounts. The vulnerability, tracked as CVE-2025-54236 (aka SessionReaper), carries a CVSS score of 9.1 out of a maximum of 10.0. It has been described as an improper input validation flaw. Adobe said it's not aware of