CVE-2025-54236 (aka “SessionReaper”) — What it is, why it matters, and how to fix it

Sep 11, 2025 · 4 min read · TL;DR What: A critical bug in Adobe Commerce / Magento Open Source that lets an attacker take over customer accounts via the Commerce API (no login or clicks needed). Severity: CVSS 9.1 — High impact to confidentiality and integrity; no user intera...