CVE-2026-34653

EUVD-2026-29762

12.05.2026, 20:16

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in arbitrary file system read and write. An authenticated attacker with administrative privileges could exploit this vulnerability to read or write files outside the restricted directory. Exploitation of this issue does not require user interaction. Scope is changed.

Path Traversal

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.7 HIGH	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 44%

Affected Products (NVD)

Vendor	Product	Version
adobe	commerce	𝑥 < 2.4.4
adobe	commerce	2.4.4
adobe	commerce	2.4.4:p1
adobe	commerce	2.4.4:p10
adobe	commerce	2.4.4:p11
adobe	commerce	2.4.4:p12
adobe	commerce	2.4.4:p13
adobe	commerce	2.4.4:p14
adobe	commerce	2.4.4:p15
adobe	commerce	2.4.4:p16
adobe	commerce	2.4.4:p17
adobe	commerce	2.4.4:p2
adobe	commerce	2.4.4:p3
adobe	commerce	2.4.4:p4
adobe	commerce	2.4.4:p5
adobe	commerce	2.4.4:p6
adobe	commerce	2.4.4:p7
adobe	commerce	2.4.4:p8
adobe	commerce	2.4.4:p9
adobe	commerce	2.4.5
adobe	commerce	2.4.5:p1
adobe	commerce	2.4.5:p10
adobe	commerce	2.4.5:p11
adobe	commerce	2.4.5:p12
adobe	commerce	2.4.5:p13
adobe	commerce	2.4.5:p14
adobe	commerce	2.4.5:p15
adobe	commerce	2.4.5:p16
adobe	commerce	2.4.5:p2
adobe	commerce	2.4.5:p3
adobe	commerce	2.4.5:p4
adobe	commerce	2.4.5:p5
adobe	commerce	2.4.5:p6
adobe	commerce	2.4.5:p7
adobe	commerce	2.4.5:p8
adobe	commerce	2.4.5:p9
adobe	commerce	2.4.6
adobe	commerce	2.4.6:p1
adobe	commerce	2.4.6:p10
adobe	commerce	2.4.6:p11
adobe	commerce	2.4.6:p12
adobe	commerce	2.4.6:p13
adobe	commerce	2.4.6:p14
adobe	commerce	2.4.6:p2
adobe	commerce	2.4.6:p3
adobe	commerce	2.4.6:p4
adobe	commerce	2.4.6:p5
adobe	commerce	2.4.6:p6
adobe	commerce	2.4.6:p7
adobe	commerce	2.4.6:p8
adobe	commerce	2.4.6:p9
adobe	commerce	2.4.7
adobe	commerce	2.4.7:b1
adobe	commerce	2.4.7:b2
adobe	commerce	2.4.7:beta3
adobe	commerce	2.4.7:p1
adobe	commerce	2.4.7:p2
adobe	commerce	2.4.7:p3
adobe	commerce	2.4.7:p4
adobe	commerce	2.4.7:p5
adobe	commerce	2.4.7:p6
adobe	commerce	2.4.7:p7
adobe	commerce	2.4.7:p8
adobe	commerce	2.4.7:p9
adobe	commerce	2.4.8
adobe	commerce	2.4.8:beta1
adobe	commerce	2.4.8:beta2
adobe	commerce	2.4.8:p1
adobe	commerce	2.4.8:p2
adobe	commerce	2.4.8:p3
adobe	commerce	2.4.8:p4
adobe	commerce	2.4.9:beta1
adobe	commerce_b2b	𝑥 < 1.3.3
adobe	commerce_b2b	1.3.3
adobe	commerce_b2b	1.3.3:p1
adobe	commerce_b2b	1.3.3:p10
adobe	commerce_b2b	1.3.3:p11
adobe	commerce_b2b	1.3.3:p12
adobe	commerce_b2b	1.3.3:p13
adobe	commerce_b2b	1.3.3:p14
adobe	commerce_b2b	1.3.3:p15
adobe	commerce_b2b	1.3.3:p16
adobe	commerce_b2b	1.3.3:p17
adobe	commerce_b2b	1.3.3:p2
adobe	commerce_b2b	1.3.3:p3
adobe	commerce_b2b	1.3.3:p4
adobe	commerce_b2b	1.3.3:p5
adobe	commerce_b2b	1.3.3:p6
adobe	commerce_b2b	1.3.3:p7
adobe	commerce_b2b	1.3.3:p8
adobe	commerce_b2b	1.3.3:p9
adobe	commerce_b2b	1.3.4
adobe	commerce_b2b	1.3.4:p1
adobe	commerce_b2b	1.3.4:p10
adobe	commerce_b2b	1.3.4:p11
adobe	commerce_b2b	1.3.4:p12
adobe	commerce_b2b	1.3.4:p13
adobe	commerce_b2b	1.3.4:p14
adobe	commerce_b2b	1.3.4:p15
adobe	commerce_b2b	1.3.4:p16
adobe	commerce_b2b	1.3.4:p2
adobe	commerce_b2b	1.3.4:p3
adobe	commerce_b2b	1.3.4:p4
adobe	commerce_b2b	1.3.4:p5
adobe	commerce_b2b	1.3.4:p6
adobe	commerce_b2b	1.3.4:p7
adobe	commerce_b2b	1.3.4:p8
adobe	commerce_b2b	1.3.4:p9
adobe	commerce_b2b	1.4.2
adobe	commerce_b2b	1.4.2:p1
adobe	commerce_b2b	1.4.2:p2
adobe	commerce_b2b	1.4.2:p3
adobe	commerce_b2b	1.4.2:p4
adobe	commerce_b2b	1.4.2:p5
adobe	commerce_b2b	1.4.2:p6
adobe	commerce_b2b	1.4.2:p7
adobe	commerce_b2b	1.4.2:p8
adobe	commerce_b2b	1.4.2:p9
adobe	commerce_b2b	1.5.2
adobe	commerce_b2b	1.5.2:p1
adobe	commerce_b2b	1.5.2:p2
adobe	commerce_b2b	1.5.2:p3
adobe	commerce_b2b	1.5.2:p4
adobe	commerce_b2b	1.5.3:beta1
adobe	magento	𝑥 < 2.4.6
adobe	magento	2.4.6
adobe	magento	2.4.6:p1
adobe	magento	2.4.6:p10
adobe	magento	2.4.6:p11
adobe	magento	2.4.6:p12
adobe	magento	2.4.6:p13
adobe	magento	2.4.6:p14
adobe	magento	2.4.6:p2
adobe	magento	2.4.6:p3
adobe	magento	2.4.6:p4
adobe	magento	2.4.6:p5
adobe	magento	2.4.6:p6
adobe	magento	2.4.6:p7
adobe	magento	2.4.6:p8
adobe	magento	2.4.6:p9
adobe	magento	2.4.7
adobe	magento	2.4.7:b1
adobe	magento	2.4.7:b2
adobe	magento	2.4.7:beta3
adobe	magento	2.4.7:p1
adobe	magento	2.4.7:p2
adobe	magento	2.4.7:p3
adobe	magento	2.4.7:p4
adobe	magento	2.4.7:p5
adobe	magento	2.4.7:p6
adobe	magento	2.4.7:p7
adobe	magento	2.4.7:p8
adobe	magento	2.4.7:p9
adobe	magento	2.4.8
adobe	magento	2.4.8:beta1
adobe	magento	2.4.8:beta2
adobe	magento	2.4.8:p1
adobe	magento	2.4.8:p2
adobe	magento	2.4.8:p3
adobe	magento	2.4.8:p4
adobe	magento	2.4.9:beta1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

https://helpx.adobe.com/security/products/magento/apsb26-49.html