Adobe Commerce Stored XSS Puts Low-Privilege Attackers in Control (CVE-2026-34686)
The National Vulnerability Database has issued an advisory for CVE-2026-34686, a high-severity stored Cross-Site Scripting (XSS) vulnerability impacting multiple versions of Adobe Commerce. This flaw, rated with a CVSS score of 8.7, allows a low-privileged attacker to inject malicious scripts into vulnerable form fields.
When a victim navigates to a page containing these compromised fields, the injected JavaScript executes within their browser. This could lead to session hijacking, elevated access, or complete control over the victim’s account within the Adobe Commerce environment. The scope of this attack is significant, as a successful exploit bypasses typical access controls by leveraging the victim’s authenticated session.
Defenders must prioritize patching. This isn’t theoretical; an attacker with even minimal access could weaponize this to escalate privileges or steal sensitive data. The attacker’s calculus here is simple: find a weak link, inject code, and wait for a privileged user to trigger it, essentially turning a low-privilege entry point into a high-impact compromise.
What This Means For You
- If your organization uses Adobe Commerce, immediately identify all instances running versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17, or earlier. Prioritize patching these systems to mitigate CVE-2026-34686. Audit administrative user activity for any unusual behavior or unauthorized script injections, especially if you cannot patch immediately.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-34686 - Adobe Commerce Stored XSS - Malicious Script Injection
title: CVE-2026-34686 - Adobe Commerce Stored XSS - Malicious Script Injection
id: scw-2026-05-12-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-34686 by injecting a script tag into the product name field within the Adobe Commerce admin panel. This specific URI path and query parameter pattern is indicative of the stored XSS vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-34686/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/admin/catalog/product/edit/'
cs-uri-query|contains:
- 'name=<script>'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-34686 | XSS | Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier |
| CVE-2026-34686 | XSS | Stored Cross-Site Scripting (XSS) vulnerability |
| CVE-2026-34686 | XSS | Vulnerable form fields |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 12, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
HashiCorp Nomad Code Execution (CVE-2026-7474) via Path Traversal
CVE-2026-7474 — HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This...
CVE-2026-44225: Pulpy Packager Allows Arbitrary File Access
CVE-2026-44225 — Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged...
ArcadeDB Critical Vulnerability Bypasses Authorization Across Databases
CVE-2026-44221 — ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate...