CVE-2025-54266 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15, and earlier. This vulnerability arises from insufficient sanitization of user input in certain form fields, allowing a high-privileged attacker to inject malicious JavaScript code that is stored persistently on the server. When a victim user visits the affected page containing the injected script, the malicious code executes in their browser context, potentially leading to theft of session tokens, user impersonation, or unauthorized actions within the web application. The attack requires the attacker to have high privileges within Adobe Commerce, such as administrative access, and requires the victim to interact by visiting the compromised page, which changes the scope of impact to include other users. The CVSS 3.1 base score is 4.8, reflecting medium severity, with vector AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N indicating network attack vector, low attack complexity, high privileges required, user interaction required, scope changed, and limited confidentiality and integrity impact without availability impact. No public exploits have been reported yet, but the vulnerability poses a risk to the confidentiality and integrity of user data and session information. Adobe Commerce is widely used in e-commerce platforms, making this vulnerability relevant to organizations relying on this software for online retail operations.

For European organizations, this vulnerability could lead to unauthorized access to user accounts, session hijacking, and potential data leakage, especially in e-commerce environments where customer trust and data protection are critical. The confidentiality of user credentials and personal data could be compromised if malicious scripts steal cookies or other sensitive information. Integrity of the web application could be affected if attackers perform unauthorized actions on behalf of users. Although availability is not impacted, the reputational damage and regulatory consequences under GDPR for data breaches could be significant. The requirement for high privileges to exploit somewhat limits the threat to insider attackers or compromised administrator accounts. However, given the widespread use of Adobe Commerce in Europe’s e-commerce sector, the risk remains notable, particularly for organizations with less stringent internal access controls or delayed patch management.

Organizations should immediately verify their Adobe Commerce version and apply official patches or updates once available from Adobe. In the absence of patches, implement strict input validation and output encoding on all form fields to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Limit administrative privileges strictly to trusted personnel and enforce multi-factor authentication to reduce the risk of privilege abuse. Monitor logs for unusual administrative activities and conduct regular security audits of the e-commerce platform. Educate users and administrators about the risks of clicking on suspicious links or visiting untrusted pages within the commerce environment. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting Adobe Commerce. Finally, maintain an incident response plan to quickly address potential exploitation attempts.