CVE-2025-54264 Overview
CVE-2025-54264 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Commerce, Adobe Commerce B2B, and Magento Open Source. The flaw allows a high-privileged attacker to inject malicious JavaScript into vulnerable form fields. When a victim browses to the page rendering the stored payload, the script executes in their browser session. Adobe disclosed the issue in advisory APSB25-94 and assigned it [CWE-79]. The vulnerability has a changed scope, meaning the injected script can affect resources beyond the originally compromised component.
Critical Impact
A successful exploit enables session takeover against authenticated users — including administrators — leading to high confidentiality and integrity impact on the affected storefront and admin panel.
Affected Products
- Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier
- Adobe Commerce B2B versions 1.5.3-alpha2, 1.5.2-p2, 1.4.2-p7, 1.3.5-p12, 1.3.4-p14, 1.3.3-p15 and earlier
- Magento Open Source versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12 and earlier
Discovery Timeline
- 2025-10-14 - CVE-2025-54264 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-54264
Vulnerability Analysis
The vulnerability is a stored XSS flaw in Adobe Commerce form-field handling. Input submitted by a high-privileged user is persisted without sufficient output encoding or sanitization. When the affected page is later rendered, the stored payload executes as JavaScript in the victim's browser. Because the CVSS scope is changed, the malicious script can reach resources outside the vulnerable component's security context, broadening the blast radius. The EPSS probability sits at 0.551% (percentile 41.7), indicating low but non-trivial exploitation likelihood.
Root Cause
The root cause is improper neutralization of input during web page generation [CWE-79]. Adobe Commerce does not adequately encode or filter HTML/JavaScript metacharacters in specific administrative form fields before storing them or rendering them back to a viewer. The flaw lies in the rendering layer, where user-controlled data is emitted into the DOM without context-aware escaping.
Attack Vector
Exploitation requires an authenticated attacker with high privileges, such as an admin user with content-management rights. The attacker submits a crafted payload into a vulnerable form field. The payload is persisted in the application's data store. A separate victim — typically another administrator or merchant user — must browse to the page that renders the injected field. The script then executes in the victim's browser, enabling session token theft, forced administrative actions, or pivoting to other backend resources due to the changed scope.
No public proof-of-concept code is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Adobe Security Advisory APSB25-94 for vendor-published technical detail.
Detection Methods for CVE-2025-54264
Indicators of Compromise
- Unexpected <script>, onerror, onload, or javascript: strings stored in Adobe Commerce database tables backing admin-editable form fields
- Admin or staff sessions exhibiting unsolicited API calls, privilege changes, or new admin user creation shortly after viewing a content page
- Outbound HTTP requests from admin browsers to attacker-controlled domains carrying session cookies or CSRF tokens
Detection Strategies
- Audit recently modified records in catalog, customer, CMS block, and configuration tables for HTML or JavaScript markup using database queries
- Deploy a Content Security Policy (CSP) in report-only mode and review violation reports for inline script execution within the Magento admin
- Correlate Adobe Commerce admin activity logs with web access logs to identify high-privileged accounts submitting unusual field content
Monitoring Recommendations
- Enable and centralize Adobe Commerce admin action logs, web server access logs, and database audit logs
- Alert on admin session usage from unfamiliar IP addresses, user agents, or geographies
- Monitor for changes to admin user roles, API keys, and integration tokens that follow page-view events in the admin panel
How to Mitigate CVE-2025-54264
Immediate Actions Required
- Apply the latest Adobe Commerce, Commerce B2B, and Magento Open Source security patches referenced in APSB25-94
- Review and reduce the number of accounts holding high-privilege admin roles in Adobe Commerce
- Rotate admin session secrets, API tokens, and integration credentials after patching if compromise is suspected
- Audit stored content fields for previously injected payloads before returning the system to normal operation
Patch Information
Adobe addressed CVE-2025-54264 in the security update published as APSB25-94. Upgrade to a fixed release that supersedes the vulnerable versions listed above. Consult the Adobe Security Advisory APSB25-94 for the exact fixed version map for each product track.
Workarounds
- Restrict admin panel access to trusted IP ranges using web server access controls or a WAF
- Enforce a strict Content Security Policy that blocks inline scripts in the Magento admin interface
- Require multi-factor authentication for all admin accounts to raise the cost of credential abuse needed to reach the vulnerable form fields
- Limit high-privilege role assignment to a minimal set of named operators and review entitlements regularly
# Example: place the Adobe Commerce admin URL behind a network allowlist
# nginx snippet restricting /admin to specific source ranges
location ^~ /admin {
allow 203.0.113.0/24;
allow 198.51.100.10;
deny all;
try_files $uri $uri/ /index.php?$args;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

