APSB22-12 critical 2022-02-13

TrojanOrders pre-auth RCE (CVE-2022-24086) | APSB22-12

Improper input validation in the checkout flow allows unauthenticated attackers to execute arbitrary code via crafted email-template inputs. Mass-exploited via the 'TrojanOrders' campaign within 48 hours of disclosure — every unpatched store is presumed compromised. Adobe shipped APSB22-13 a week later as a follow-up to widen the fix.

Operator notes: If you ran an unpatched 2.4.3 / 2.3.7 build between Feb 13 and your patch date, treat the store as compromised. Audit admin users, regenerate keys, scan for backdoor PHP files in pub/media.

Affected versions

2.4.3-p1 and earlier
2.3.7-p2 and earlier

Fixed in

2.4.3-p2
2.3.7-p3

CVE references

Affected products

Adobe Commerce
Magento Open Source

Read the full Adobe bulletin →

Other bulletins in the catalog

Recently published bulletins you might want to compare against.

APSB26-49 moderate 2026-06-01

15 CVE(s)

Adobe Security Bulletin

Adobe Security Bulletin Adobe Security Bulletin Search Last updated on May 12, 2026 Security update available for Adobe Commerce | APSB26-49 Bulletin ID Date Published Priority APSB26-49 May 12, 2026 2 Summary Adobe has released a security update for Adobe Commer

APSB26-05 moderate 2026-06-01

19 CVE(s)

Adobe Security Bulletin

Adobe Security Bulletin Adobe Security Bulletin Search Last updated on Mar 11, 2026 Security update available for Adobe Commerce | APSB26-05 Bulletin ID Date Published Priority APSB26-05 March 10, 2026 2 Summary Adobe has released a security update for Adobe Comm

APSB25-94 moderate 2026-04-27

5 CVE(s)

Adobe Security Bulletin

Adobe Security Bulletin Adobe Security Bulletin Search Last updated on Oct 16, 2025 Security update available for Adobe Commerce | APSB25-94 Bulletin ID Date Published Priority APSB25-94 October 14, 2025 2 Summary Adobe has released a security update for Adobe Co

APSB25-88 moderate 2026-04-27

1 CVE(s)

Adobe Security Bulletin

Adobe Security Bulletin Adobe Security Bulletin Search Last updated on Oct 24, 2025 Security update available for Adobe Commerce | APSB25-88 Bulletin ID Date Published Priority APSB25-88 September 9, 2025 1 Summary Adobe has released a security update for Adobe C

APSB25-71 moderate 2026-04-27

6 CVE(s)

Adobe Security Bulletin

Adobe Security Bulletin Adobe Security Bulletin Search Last updated on Aug 12, 2025 Security update available for Adobe Commerce | APSB25-71 Bulletin ID Date Published Priority APSB25-71 August 12, 2025 2 Summary Adobe has released a security update for Adobe Com

Every Magento dev tool, in one hosted workspace.

Free to sign up. Nothing to install. Drafts, audits, and projects saved across every tool.

Open app →