{"api_version":"1","generated_at":"2026-05-13T01:06:36+00:00","cve":"CVE-2026-34653","urls":{"html":"https://cve.report/CVE-2026-34653","api":"https://cve.report/api/cve/CVE-2026-34653.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-34653","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-34653"},"summary":{"title":"Adobe Commerce | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)","description":"Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in arbitrary file system read and write. An authenticated attacker with administrative privileges could exploit this vulnerability to read or write files outside the restricted directory. Exploitation of this issue does not require user interaction. Scope is changed.","state":"PUBLISHED","assigner":"adobe","published_at":"2026-05-12 20:16:36","updated_at":"2026-05-12 20:16:36"},"problem_types":["CWE-22","CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)"],"metrics":[{"version":"3.1","source":"psirt@adobe.com","type":"Primary","score":"8.7","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"8.7","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","availabilityRequirement":"NOT_DEFINED","baseScore":8.7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","confidentialityRequirement":"NOT_DEFINED","environmentalScore":8.7,"environmentalSeverity":"HIGH","exploitCodeMaturity":"NOT_DEFINED","integrityImpact":"HIGH","integrityRequirement":"NOT_DEFINED","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"HIGH","modifiedScope":"CHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"HIGH","remediationLevel":"NOT_DEFINED","reportConfidence":"NOT_DEFINED","scope":"CHANGED","temporalScore":8.7,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://helpx.adobe.com/security/products/magento/apsb26-49.html","name":"https://helpx.adobe.com/security/products/magento/apsb26-49.html","refsource":"psirt@adobe.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-34653","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34653","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Adobe","product":"Adobe Commerce","version":"affected 2.4.4-p17 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"affected","product":"Adobe Commerce","vendor":"Adobe","versions":[{"lessThanOrEqual":"2.4.4-p17","status":"affected","version":"0","versionType":"semver"}]}],"datePublic":"2026-05-12T17:00:00.000Z","descriptions":[{"lang":"en","value":"Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in arbitrary file system read and write. An authenticated attacker with administrative privileges could exploit this vulnerability to read or write files outside the restricted directory. Exploitation of this issue does not require user interaction. Scope is changed."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","availabilityRequirement":"NOT_DEFINED","baseScore":8.7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","confidentialityRequirement":"NOT_DEFINED","environmentalScore":8.7,"environmentalSeverity":"HIGH","exploitCodeMaturity":"NOT_DEFINED","integrityImpact":"HIGH","integrityRequirement":"NOT_DEFINED","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"HIGH","modifiedScope":"CHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"HIGH","remediationLevel":"NOT_DEFINED","reportConfidence":"NOT_DEFINED","scope":"CHANGED","temporalScore":8.7,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-22","description":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-12T19:50:29.984Z","orgId":"078d4453-3bcd-4900-85e6-15281da43538","shortName":"adobe"},"references":[{"tags":["vendor-advisory"],"url":"https://helpx.adobe.com/security/products/magento/apsb26-49.html"}],"source":{"discovery":"EXTERNAL"},"title":"Adobe Commerce | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)"}},"cveMetadata":{"assignerOrgId":"078d4453-3bcd-4900-85e6-15281da43538","assignerShortName":"adobe","cveId":"CVE-2026-34653","datePublished":"2026-05-12T19:50:29.984Z","dateReserved":"2026-03-30T17:30:36.493Z","dateUpdated":"2026-05-12T19:50:29.984Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-12 20:16:36","lastModifiedDate":"2026-05-12 20:16:36","problem_types":["CWE-22","CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)"],"metrics":{"cvssMetricV31":[{"source":"psirt@adobe.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":5.8}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"34653","Ordinal":"1","Title":"Adobe Commerce | Improper Limitation of a Pathname to a Restrict","CVE":"CVE-2026-34653","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"34653","Ordinal":"1","NoteData":"Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in arbitrary file system read and write. An authenticated attacker with administrative privileges could exploit this vulnerability to read or write files outside the restricted directory. Exploitation of this issue does not require user interaction. Scope is changed.","Type":"Description","Title":"Adobe Commerce | Improper Limitation of a Pathname to a Restrict"}]}}}