DocumentationCommerceRelease information

[PaaS only]{class="badge informative" title="Applies to Adobe Commerce on Cloud projects (Adobe-managed PaaS infrastructure) and on-premises projects only."}

Release notes for Adobe Commerce 2.4.8 security patches

Last update: Wed Jun 18 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

CREATED FOR:

  • Experienced
  • Admin
  • Developer

These security patch release notes capture updates to enhance the security of your Adobe Commerce deployment. Information includes, but is not limited to, the following:

  • Security bug fixes
  • Security highlights that provide more detail about enhancements and updates included in the security patch
  • Known issues
  • Instructions to apply additional patches if required
  • Information about any hot fixes included in the release

Learn more about security patch releases:

2.4.8-p1

The Adobe Commerce 2.4.8-p1 security release provides security bug fixes for vulnerabilities identified in previous releases of 2.4.8.

For the latest information about the security bug fixes, see Adobe Security Bulletin APSB25-50.

NOTE
After installing this security patch, Adobe Commerce B2B merchants must also update to the latest compatible B2B security patch release. See B2B release notes.

Highlights

This release includes the following highlights:

  • API performance enhancement—Resolves performance degradation in bulk asynchronous web API endpoints that were introduced after the previous security patch.

  • CMS Blocks access fix—Resolves an issue where Admin users with restricted permissions (such as merchandising-only access) were unable to view the CMS Blocks listing page.

    Previously, these users encountered an error due to missing configuration parameters after installing previous security patches.

  • Cookie limit compatibility—Resolves a backward-incompatible change involving the MAX_NUM_COOKIES constant in the framework. This update restores expected behavior and ensures compatibility for extensions or customizations that interact with cookie limits.

  • Async operations—Restricted async operations for overriding previous customers orders.

  • Fix for CVE-2025-47110—Resolves an email templates vulnerability.

  • Fix for VULN-31547—Resolves a category canonical link vulnerability.

recommendation-more-help

The fixes for CVE-2025-47110 and VULN-31547 are also available as an isolated patch. See the Knowledge Base article for details.

style
shade-box
1d4eef6c-fef1-4e61-85eb-b58d7b9ac29f