CVE-2022-24086 CRITICAL

CVE-2022-24086: Adobe Commerce checkout improper input validation leads to remote code execution

Vendor Adobe

Product Magento Commerce

Weakness CWE-20 · Input validation

KEV Status Known Exploited

Published February 16, 2022

Last update October 21, 2025

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.

CISA mandated remediation

02CISA Required Action

Apply updates per vendor instructions.

Key dates

03Disclosure timeline

February 16, 2022 CVE published

October 21, 2025 Record updated

External resources

04References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-24086 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html CISA KEV Reference https://nvd.nist.gov/vuln/detail/CVE-2022-24086

Related vulnerabilities

Identifiers

CVE CVE-2022-24086

CWE CWE-20

CVSS 9.8 / CRITICAL

Affected versions

Vendor Adobe

Product Magento Commerce

Affected ≥ unspecified and ≤ 2.4.3-p1

Vendor Adobe

Product Magento Commerce

Affected ≥ unspecified and ≤ 2.3.7-p2

Vendor Adobe

Product Magento Commerce

Affected ≥ unspecified and ≤ None

CVE-2022-24086: Adobe Commerce checkout improper input validation leads to remote code execution

01Description

02CISA Required Action

03Disclosure timeline

04References

05Related CVE