DocumentationCommerceCommerce KB

[PaaS only]{class="badge informative" title="Applies to Adobe Commerce on Cloud projects (Adobe-managed PaaS infrastructure) and on-premises projects only."}

Security update available for Adobe Commerce - APSB25-50

Last update: Wed Jun 18 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

CREATED FOR:

  • Developer

On June 10, 2025, Adobe released a regularly scheduled security update for Adobe Commerce and Magento Open Source. This update resolves critical and important vulnerabilities. Successful exploitation of these vulnerabilities could lead to security feature bypass, privilege escalation, and arbitrary code execution.

More information can be found in the Adobe Security Bulletin (APSB25-50) here.

NOTE
To help ensure that the remediation for CVE-2025-47110 listed in the security bulletin above, can be applied as promptly as possible, Adobe has also released an isolated patch that resolves CVE-2025-47110. This allows merchants to apply the fix in isolation with fewer risks of delay due to potential integration issues.

Please apply the latest security updates as soon as possible. If you fail to do so, you will be vulnerable to these security issues, and Adobe will have limited means to help remediate the issue further.

You can read more about our isolated patch deployment process here.

NOTE
For Adobe Commerce on Managed Services customers, your Customer Success Engineer can provide additional guidance on applying the patch.
NOTE
Please contact Support Services if you encounter any issues applying the security patch/Isolated patch.

As a reminder, you can find the latest Security updates available for Adobe Commerce here.

Affected products and versions

Adobe Commerce (all deployment menthods):

  • 2.4.8
  • 2.4.7-p5 and earlier
  • 2.4.6-p10 and earlier
  • 2.4.5-p12 and earlier
  • 2.4.4-p13 and earlier

Issues

I. CVE-2025-47110: Stored XSS via Server-Side Template Injection in Adobe Commerce 2.4.7-p4

Affected products and versions:

Adobe Commerce (all deployment menthods):

  • 2.4.8
  • 2.4.7-p5 and earlier
  • 2.4.6-p10 and earlier
  • 2.4.5-p12 and earlier
  • 2.4.4-p13 and earlier

Solution:

For Adobe Commerce versions:

  • 2.4.8
  • 2.4.7, 2.4.7-p1, 2.4.7-p2, 2.4.7-p3, 2.4.7-p4, 2.4.7-p5
  • 2.4.6, 2.4.6-p1, 2.4.6-p2, 2.4.6-p3, 2.4.6-p4, 2.4.6-p5, 2.4.6-p6, 2.4.6-p7, 2.4.6-p8, 2.4.6-p10
  • 2.4.5, 2.4.5-p1, 2.4.5-p2, 2.4.5-p3, 2.4.5-p4, 2.4.5-p5, 2.4.5-p6, 2.4.5-p7, 2.4.5-p8, 2.4.5-p9, 2.4.5-p10, 2.4.5-p11, 2.4.5-p12
  • 2.4.4, 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4, 2.4.4-p5, 2.4.4-p6, 2.4.4-p7, 2.4.4-p8, 2.4.4-p9, 2.4.4-p10, 2.4.4-p11, 2.4.4-p12, 2.4.4-p13

Apply the following isolated patch or upgrade to the latest security patch.

II. VULN-31547: Reflected XSS in marketplace.magento.com + one-click ATO issue impacting IMS instances

Affected products and versions:

Adobe Commerce (all deployment menthods):

  • 2.4.8

Solution:

For Adobe Commerce versions:

  • 2.4.8

Apply the following isolated patch or upgrade to the latest security patch.

How to apply the Isolated patch

Unzip the file and see How to apply a composer patch provided by Adobe in our support knowledge base for instructions.

For Adobe Commerce on Cloud merchants only - How to tell whether the Isolated patches have been applied

Considering that it isn’t possible to easily check if the issue was patched, you might want to check whether the CVE-2025-47110 isolated patch has been successfully applied.

NOTE
You can do this by taking the following steps, using the file VULN-27015-2.4.7_COMPOSER.patch as an EXAMPLE:

  1. Install the Quality Patches Tool.

  2. Run the command:

    cve-2024-34102-tell-if-patch-applied-code

  3. You should see output similar to this, where VULN-27015 returns the  Applied  status:

    code language-bash 
    ║ Id            │ Title                                                        │ Category        │ Origin                 │ Status      │ Details                                          ║ ║ N/A           │ ../m2-hotfixes/VULN-27015-2.4.7_COMPOSER_patch.patch      │ Other           │ Local                  │ Applied     │ Patch type: Custom

Security updates

Security updates available for Adobe Commerce:

recommendation-more-help
8bd06ef0-b3d5-4137-b74e-d7b00485808a