CRITICALCVE-2021-21427CVSS 9.1

CVE-2021-21427: SQL Injection in Magento LTS

Q: What is CVE-2021-21427 — SQL Injection in Magento LTS?

CVE-2021-21427 is a critical SQL injection vulnerability affecting Magento LTS versions up to v19.4.9, allowing unauthorized access to restricted resources.

Q: Am I affected by CVE-2021-21427 in Magento LTS?

If you are running Magento LTS versions 19.4.9 or earlier, you are vulnerable. Upgrade to v19.4.13 or v20.0.9 to resolve the issue.

Q: How do I fix CVE-2021-21427 in Magento LTS?

Upgrade to Magento LTS version 19.4.13 or 20.0.9. Consider temporary workarounds like input validation if immediate upgrade is not possible.

Q: Where can I find the official Magento advisory for CVE-2021-21427?

Refer to the Adobe Security Bulletin APSB21-08: https://helpx.adobe.com/security/products/magento/apsb21-08.html

Platform

php

Component

openmage/magento-lts

Fixed in

19.4.13

20.0.9

19.4.13

AI Confidence: highNVDEPSS 0.6%Reviewed: May 2026

View on NVD

Save

CVE-2021-21427 is a critical SQL injection vulnerability discovered in Magento LTS. This flaw allows unauthorized administrators access to restricted resources within the platform. It impacts versions of Magento LTS up to and including v19.4.9, and a patch is available in versions v19.4.13 and v20.0.9.

Impact and Attack Scenarios

The primary impact of CVE-2021-21427 is the potential for unauthorized access to sensitive data and administrative functions within a Magento store. A successful attacker could leverage SQL injection to bypass authentication controls, retrieve confidential information (customer data, order details, payment information), modify data, or even gain complete control over the Magento instance. This vulnerability is a backport of CVE-2021-21024, highlighting the importance of keeping Magento LTS up-to-date with the latest security patches. The ability to manipulate database queries directly poses a significant threat to data integrity and system security.

Exploitation Context

CVE-2021-21427 was publicly disclosed on April 22, 2021. It is related to CVE-2021-21024, suggesting a shared root cause. While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity and the potential for significant data compromise make this vulnerability a high-priority target for attackers. The vulnerability is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.64% (70% percentile)

CVSS Vector

Affected Software

Componentopenmage/magento-lts

Vendorosv

Affected rangeFixed in

<= 19.4.12 – <= 19.4.1219.4.13

<= 20.0.8 – <= 20.0.820.0.9

—19.4.13

Weakness Classification (CWE)

CWE-89

Timeline

Reserved2020-12-22
Published2021-04-22
Modified2026-03-13
EPSS updated2026-04-02

Patched -1 days after disclosure

Mitigation and Workarounds

The most effective mitigation for CVE-2021-21427 is to immediately upgrade to a patched version of Magento LTS, specifically v19.4.13 or v20.0.9. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as strengthening input validation and sanitization within the application code. Web application firewalls (WAFs) configured with rules to detect and block SQL injection attempts can provide an additional layer of defense. Review and harden database user permissions to limit the potential impact of a successful attack. After upgrading, confirm the fix by attempting a SQL injection attack on the affected endpoints and verifying that the attack is blocked.

How to fix

Actualice Magento LTS a la versión 19.4.13 o 20.0.9, o a una versión posterior, para corregir la vulnerabilidad de inyección SQL ciega. Esta actualización corrige un problema que podría permitir a un administrador no autorizado acceder a recursos restringidos. Se recomienda realizar una copia de seguridad antes de actualizar.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2021-21427 — SQL Injection in Magento LTS?

CVE-2021-21427 is a critical SQL injection vulnerability affecting Magento LTS versions up to v19.4.9, allowing unauthorized access to restricted resources.

Am I affected by CVE-2021-21427 in Magento LTS?

If you are running Magento LTS versions 19.4.9 or earlier, you are vulnerable. Upgrade to v19.4.13 or v20.0.9 to resolve the issue.

How do I fix CVE-2021-21427 in Magento LTS?

Upgrade to Magento LTS version 19.4.13 or 20.0.9. Consider temporary workarounds like input validation if immediate upgrade is not possible.

Is CVE-2021-21427 being actively exploited?

While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity makes it a high-priority target.

Where can I find the official Magento advisory for CVE-2021-21427?

Refer to the Adobe Security Bulletin APSB21-08: https://helpx.adobe.com/security/products/magento/apsb21-08.html

NextGuard

Vulnerabilities

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: High — admin or privileged account required to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: High — complete crash or resource exhaustion. Full denial of service.

Package Information

Last updated: 20.18.0recently

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs