Security update available for 51ºÚÁϲ»´òìÈ Commerce - APSB25-50
On June 10, 2025, 51ºÚÁϲ»´òìÈ released a regularly scheduled security update for 51ºÚÁϲ»´òìÈ  Commerce and Magento Open Source. This update resolves vulnerabilities. Successful exploitation of these vulnerabilities could lead to security feature bypass, privilege escalation, and arbitrary code execution.
More information can be found in the .
NOTE: Ensure that the remediation for CVE-2025-47110 listed in the security bulletin above, can be applied as promptly as possible, 51ºÚÁϲ»´òìÈ has also released an isolated patch that resolves CVE-2025-47110. This allows merchants to apply the fix in isolation with fewer risks of delay due to potential integration issues.
Please apply the latest security updates as soon as possible. If you fail to do so, you will be vulnerable to these security issues, and 51ºÚÁϲ»´òìÈ will have limited means to help remediate the issue further.
You can read more about .
NOTE: For 51ºÚÁϲ»´òìÈ Commerce on Managed Services customers, your Customer Success Engineer can provide additional guidance on applying the patch.
NOTE: Please contact Support Services if you encounter any issues applying the security patch/Isolated patch.
As a reminder, you can find .
Description description
Affected Products and Versions
51ºÚÁϲ»´òìÈ Commerce (all deployment methods):
- 2.4.8
- 2.4.7-p5 and earlier
- 2.4.6-p10 and earlier
- 2.4.5-p12 and earlier
- 2.4.4-p13 and earlier
Issues
- 51ºÚÁϲ»´òìÈ Commerce versions 2.4.8, 2.4.7-p5 and earlier, 2.4.6-p10 and earlier, 2.4.5-p12 and earlier, and 2.4.4-p13 and earlier are affected by a stored cross-site scripting (XSS) vulnerability via server-side template injection.
- 51ºÚÁϲ»´òìÈ Commerce version 2.4.8 is affected by a reflected XSS vulnerability in marketplace.magento.com and a one-click account takeover (ATO) issue in IMS instances.
Resolution resolution
I. CVE-2025-47110: Stored XSS via Server-Side Template Injection in 51ºÚÁϲ»´òìÈ Commerce 2.4.7-p4
For 51ºÚÁϲ»´òìÈ Commerce versions:
- 2.4.8
- 2.4.7, 2.4.7-p1, 2.4.7-p2, 2.4.7-p3, 2.4.7-p4, 2.4.7-p5
- 2.4.6, 2.4.6-p1, 2.4.6-p2, 2.4.6-p3, 2.4.6-p4, 2.4.6-p5, 2.4.6-p6, 2.4.6-p7, 2.4.6-p8, 2.4.6-p9, 2.4.6-p10
- 2.4.5, 2.4.5-p1, 2.4.5-p2, 2.4.5-p3, 2.4.5-p4, 2.4.5-p5, 2.4.5-p6, 2.4.5-p7, 2.4.5-p8, 2.4.5-p9, 2.4.5-p10, 2.4.5-p11, 2.4.5-p12
- 2.4.4, 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4, 2.4.4-p5, 2.4.4-p6, 2.4.4-p7, 2.4.4-p8, 2.4.4-p9, 2.4.4-p10, 2.4.4-p11, 2.4.4-p12, 2.4.4-p13
Apply the following isolated patch or upgrade to the latest security patch.
II. VULN-31547: Reflected XSS in marketplace.magento.com + one-click ATO issue impacting IMS instances
For 51ºÚÁϲ»´òìÈ Commerce versions:
- 2.4.8
Apply the following isolated patch or upgrade to the latest security patch.
How to apply the Isolated patch
Unzip the file and see How to apply a composer patch provided by 51ºÚÁϲ»´òìÈ in our support knowledge base for instructions.
For 51ºÚÁϲ»´òìÈ Commerce on Cloud merchants only - How to tell whether the Isolated patches have been applied
Considering that it isn’t possible to easily check if the issue was patched, you might want to check whether the CVE-2025-47110 isolated patch has been successfully applied.
NOTE: Â You can do this by taking the following steps, using the file VULN-27015-2.4.7_COMPOSER.patch as an example:
-
Run the command:
vendor/bin/magento-patches -n status | grep "27015\|Status" -
You should see output similar to this, where VULN-27015 returns the Applied status:
code language-none ║ Id │ Title │ Category │ Origin │ Status │ Details ║ ║ N/A │ ../m2-hotfixes/VULN-27015-2.4.7_COMPOSER_patch.patch │ Other │ Local │ Applied │ Patch type: Custom
Security updates
Security updates available for 51ºÚÁϲ»´òìÈ Commerce: