The Adobe Commerce 2.4.8-p2 security release provides security bug fixes for vulnerabilities identified in previous 2.4.8 releases. After installing this security patch, Adobe Commerce B2B merchants must also update to the latest compatible B2B security patch release. See B2B release notes for details.
Highlights & Fixes
- API Performance Enhancement — Resolves performance degradation in bulk asynchronous Web API endpoints that were introduced after the previous security patch.
- CMS Blocks Access Fix — Fixes an issue where Admin users with restricted permissions (for example, merchandising-only access) were unable to view the CMS Blocks listing page. Previously, these users encountered errors due to missing configuration parameters introduced by earlier security patches.
- Cookie Limit Compatibility — Restores expected behavior related to the
MAX_NUM_COOKIESconstant in the framework. Ensures compatibility with extensions or customizations that interact with cookie limits. - Async Operations Restriction — Restricts asynchronous operations for overriding previous customer orders.
- CVE-2025-47110 — Resolves an email templates vulnerability.
- VULN-31547 — Fixes a category canonical link vulnerability.
Additional Information
The fixes for CVE-2025-47110 and VULN-31547 are also available as an isolated patch. See the Knowledge Base article for details.
Related Releases
- 2.4.8-p1 — Earlier security patch release with its own set of fixes. For more, see Adobe Security Bulletin APSB25-50.
- 2.4.8-p2 — Refer to Adobe Security Bulletin APSB25-71 for full details.
How to Apply
Instructions for downloading and applying Adobe Commerce security patches are available in the Adobe Commerce Knowledge Base.
