CVE-2025-54236 CRITICAL

CVE-2025-54236: Adobe Commerce | Improper Input Validation (CWE-20)

Vendor Adobe

Product Adobe Commerce

Weakness CWE-20 · Input validation

KEV Status Known Exploited

Published September 9, 2025

Last update October 24, 2025

View on NVD All CVEs

CVSS base score

9.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

September 9, 2025 CVE published

October 24, 2025 Record updated

External resources

04References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-54236 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html CISA KEV Reference https://experienceleague.adobe.com/en/docs/experience-cloud-kc… CISA KEV Reference https://nvd.nist.gov/vuln/detail/CVE-2025-54236

Related vulnerabilities

CVE-2025-54236: Adobe Commerce | Improper Input Validation (CWE-20)

01Description

02CISA Required Action

03Disclosure timeline

04References

05Related CVE