CVE-2022-24086

CRITICAL9.8⚠ KEVEPSS 93.7%

Magento improper input validation vulnerability

Published: 2/17/2022Modified: 10/22/2025Added to CISA KEV: 2/15/2022

Also known as:GHSA-f8fv-f786-9933BIT-magento-2022-24086

Description

Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.

Affected packages (2)

Bitnami/magentofrom 0, < 2.3.0 | >= 2.3.3, <= 2.3.6, >= 2.3.7-p1, <= 2.3.7-p1, >= 2.3.7-p2, <= 2.3.7-p2, >= 2.4.0, <= 2.4.2, >= 2.4.3-p1, <= 2.4.3-p1, >= 2.4.3, <= 2.4.3
Packagist/magento/community-edition>= 2.3.3-p1, < 2.3.7-p3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-24086
PATCHhttps://github.com/magento/magento2
WEBhttps://helpx.adobe.com/security/products/magento/apsb22-12.html
WEBhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24086