A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with administrative privileges (system level import) can execute arbitrary code through a Phar deserialization vulnerability in the import functionality.

Affected Packages

Packagist magento/community-edition

Affected versions: 2.1.0 (fixed in 2.1.19)

Packagist magento/community-edition

Affected versions: 2.2.0 (fixed in 2.2.10)

Packagist magento/community-edition

Affected versions: 2.3.0 (fixed in 2.3.3)

Related CVEs

CVE-2019-8141

Key Information

GHSA ID

GHSA-9wr9-fw9v-8fgr

Published

May 24, 2022 5:00 PM

Last Modified

September 26, 2023 7:17 PM

CVSS Score

7.5 /10

Primary Ecosystem

Packagist

Primary Package

magento/community-edition

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 11, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.