CVE-2025-47110: 
PHP vulnerability analysis and mitigation

Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-47110) that was disclosed on June 10, 2025. The vulnerability affects both Adobe Commerce and Magento Open Source platforms, receiving a critical CVSS score of 9.1 (NVD, Wiz).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) vulnerability (CWE-79) that could be exploited by attackers with high privileges. The critical severity is reflected in its CVSS v3.1 score of 9.1, with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high potential impact on confidentiality, integrity, and availability (NVD).

Successful exploitation of this vulnerability could result in arbitrary code execution when a victim browses to a page containing the compromised field. The high CVSS score indicates severe potential impacts on system confidentiality, integrity, and availability. The vulnerability affects multiple versions of Adobe Commerce and Magento Open Source, potentially exposing numerous e-commerce platforms to security risks (Hacker News).

Adobe has released patches to address this vulnerability as part of a larger security update that addresses a total of 254 security flaws. Users are advised to update their Adobe Commerce and Magento Open Source installations to the latest versions (Hacker News).