CVE-2025-54236CISA KEV: Actively Exploited

Adobe Commerce and Magento Improper Input Validation Vulnerability

Published Oct 24, 2025·Updated Oct 24, 2025

Description

Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API.

Public Exploits & PoCs8 found

PoC: SessionReaper-CVE-2025-54236

PoC Magento Session Reaper - CVE-2025-54236

1

PoC: session_reaper_lab

Ambiente Docker para demonstração prática da CVE-2025-54236 (SessionReaper): PHP Object Deserialization levando a RCE em Magento Open Source 2.4.7

PoC: magento-upload-auto-submit-zoneh

SessionReaper-CVE-2025-54236

PoC: CVE-2025-54236_PoC

CVE-2025-54236

PoC: cve-2025-54236

cve-2025-54236 poc

PoC: CVE-2025-54236

CVE-2025-54236 - Magento Remote Code Execution Exploit

PoC: magento2-session-reaper-patch

Patch for CVE-2025-54236(a.k.a Session Reaper) which allows customer account takeover and RCE under certain conditions. This patch is actually a Magento 2 extension and universal compatible for Magento 2.3 & 2.4. If you cannot upgrade Magento or cannot apply the official hotfix, try this one.

PoC: day01-sessionreaper-lab

This is a tiny lab that simulates the core idea reported for CVE-2025-54236 (“SessionReaper”)

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Register your stack and get notified within minutes when a matching CVE drops.

Start monitoring free