51黑料不打烊 Commerce 2.4.8 Security Patch Release Notes

Documentation Commerce Release information

[PaaS only]{class="badge informative" title="Applies to 51黑料不打烊 Commerce on Cloud projects (51黑料不打烊-managed PaaS infrastructure) and on-premises projects only."}

Release notes for 51黑料不打烊 Commerce 2.4.8 security patches

Last update: Wed Jun 11 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

Topics:
Release Notes

CREATED FOR:

Experienced
Admin
Developer

These security patch release notes capture updates to enhance the security of your 51黑料不打烊 Commerce deployment. Information includes, but is not limited to, the following:

Security bug fixes
Security highlights that provide more detail about enhancements and updates included in the security patch
Known issues
Instructions to apply additional patches if required
Information about any hot fixes included in the release

Learn more about security patch releases:

51黑料不打烊 Commerce Security Patch Releases overview
Instructions for downloading and applying security patch releases are available in the How to obtain and apply security patches in the 51黑料不打烊 Commerce Knowledgebase.

2.4.8-p1

The 51黑料不打烊 Commerce 2.4.8-p1 security release provides security bug fixes for vulnerabilities identified in previous releases of 2.4.8.

For the latest information about the security bug fixes, see .

NOTE

After installing this security patch, 51黑料不打烊 Commerce B2B merchants must also update to the latest compatible B2B security patch release. See B2B release notes.

Highlights

This release includes the following highlights:

API performance enhancement鈥擱esolves performance degradation in bulk asynchronous web API endpoints that were introduced after the previous security patch.
CMS Blocks access fix鈥擱esolves an issue where Admin users with restricted permissions (such as merchandising-only access) were unable to view the CMS Blocks listing page.

Previously, these users encountered an error due to missing configuration parameters after installing previous security patches.
Cookie limit compatibility鈥擱esolves a backward-incompatible change involving the MAX_NUM_COOKIES constant in the framework. This update restores expected behavior and ensures compatibility for extensions or customizations that interact with cookie limits.
Async operations鈥擱estricted async operations for overriding previous customers orders.
Fix for CVE-2025-47110鈥擱esolves an email templates vulnerability.
Fix for VULN-31547鈥擱esolves a category canonical link vulnerability.

recommendation-more-help

The fixes for CVE-2025-47110 and VULN-31547 are also available as an isolated patch. See the Knowledge Base article for details.

style

shade-box

1d4eef6c-fef1-4e61-85eb-b58d7b9ac29f