Headline
GHSA-wh92-6q6g-px7j: Magento Community Edition Improper Input Validation vulnerability
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact to high. Exploitation of this issue does not require user interaction.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-54236
Magento Community Edition Improper Input Validation vulnerability
Critical severity GitHub Reviewed Published Sep 9, 2025 to the GitHub Advisory Database • Updated Sep 10, 2025
Package
composer magento/community-edition (Composer)
Affected versions
<= 2.4.5-p14
= 2.4.6
>= 2.4.6-p1, <= 2.4.6-p12
= 2.4.5
>= 2.4.9-alpha1, <= 2.4.9-alpha2
= 2.4.7
= 2.4.8
>= 2.4.7-beta1, <= 2.4.7-p7
>= 2.4.8-beta1, <= 2.4.8-p2
= 2.4.9
composer magento/project-community-edition (Composer)
Published to the GitHub Advisory Database
Sep 9, 2025
Last updated
Sep 10, 2025
Related news
In a world where threats are persistent, the modern CISO’s real job isn't just to secure technology—it's to preserve institutional trust and ensure business continuity. This week, we saw a clear pattern: adversaries are targeting the complex relationships that hold businesses together, from supply chains to strategic partnerships. With new regulations and the rise of AI-driven attacks, the
Adobe has warned of a critical security flaw in its Commerce and Magento Open Source platforms that, if successfully exploited, could allow attackers to take control of customer accounts. The vulnerability, tracked as CVE-2025-54236 (aka SessionReaper), carries a CVSS score of 9.1 out of a maximum of 10.0. It has been described as an improper input validation flaw. Adobe said it's not aware of