mediumCVE-2026-48371

CVE-2026-48371 in Adobe Commerce

Adobe Commerce has a stored XSS issue that can let a low-privilege user place script in vulnerable fields.

ProductAdobe Commerce / Magento Open Source
CVSS5.4
EPSS0.00294
UpdatedJuly 15, 2026

Quick answer

Adobe Commerce / Magento Open Source should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Adobe Commerce 2.4.9, 2.4.8-p5 and earlier, 2.4.7-p10 and earlier, 2.4.6-p15 and earlier, 2.4.5-p17 and earlier, 2.4.4-p18 and earlier
  • Adobe Commerce B2B 1.5.3, 1.5.2-p5 and earlier, 1.4.2-p10 and earlier, 1.3.4-p17 and earlier, 1.3.3-p18 and earlier
  • Magento Open Source 2.4.9, 2.4.8-p5 and earlier, 2.4.7-p10 and earlier, 2.4.6-p15 and earlier
  • Adobe Commerce Events 1.6.0 through 1.20.0

Fixed versions

  • Adobe Commerce 2.4.9-2026-jul, 2.4.8-2026-jul, 2.4.7-2026-jul, 2.4.6-2026-jul, 2.4.5-2026-jul, or 2.4.4-2026-jul
  • Adobe Commerce B2B 1.5.3-2026-jul, 1.5.2-2026-jul, 1.4.2-2026-jul, 1.3.4-2026-jul, or 1.3.3-2026-jul
  • Magento Open Source 2.4.9-2026-jul, 2.4.8-2026-jul, 2.4.7-2026-jul, or 2.4.6-2026-jul
  • Adobe Commerce Events 1.21.0 or later

How to fix it

Update Adobe Commerce or Magento Open Source. This fixes a stored XSS issue listed in Adobe APSB26-73.

  1. Back up the store files and database.
  2. Apply the July 2026 Adobe Commerce security update or the isolated patch for your branch.
  3. Update Adobe Commerce B2B or Adobe Commerce Events too if they are installed.
  4. Clear cache, recompile, and test checkout, admin, and customer flows.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm the installed branch matches the July 2026 fixed version or patch.
  • Run the vulnerability scan again and confirm this CVE is gone.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-48371?

Adobe Commerce / Magento Open Source versions listed as affected should be reviewed: Adobe Commerce 2.4.9, 2.4.8-p5 and earlier, 2.4.7-p10 and earlier, 2.4.6-p15 and earlier, 2.4.5-p17 and earlier, 2.4.4-p18 and earlier, Adobe Commerce B2B 1.5.3, 1.5.2-p5 and earlier, 1.4.2-p10 and earlier, 1.3.4-p17 and earlier, 1.3.3-p18 and earlier, Magento Open Source 2.4.9, 2.4.8-p5 and earlier, 2.4.7-p10 and earlier, 2.4.6-p15 and earlier, Adobe Commerce Events 1.6.0 through 1.20.0.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.