CVE-2025-54236CRITICAL 9.1CISA KEVEPSS p99.9%

CVE-2025-54236Adobe Commerce and Magento Improper Input Validation Vulnerability

Adobe / Commerce and Magento

Description

Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS96.74% probability of exploitation · percentile 99.9% · 2026-06-15T12:03:41Z
Published2025-09-09
Last modified2026-05-12

CISA KEV entry

Added to KEV: 2025-10-24

Underlying weaknesses· 1

CWE-20

References

  1. https://helpx.adobe.com/security/products/magento/apsb25-88.html
  2. https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27397
  3. https://nullsecurityx.codes/cve-2025-54236-sessionreaper-unauthenticated-rce-in-magento
  4. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54236

1

TypeTargetConfidenceTier
WeaknessImproper Input Validationcwe-200%live

(incoming)1

TypeTargetConfidenceTier
KEVEntryAdobe Commerce and Magento Improper Input Validation Vulnerabilitykev-cve-2025-542360%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability
CVE
CVE-2025-54263
CVE
Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability
CVE
CVE-2025-43585
CVE
CVE-2025-24416
CVE
CVE-2025-24409
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.