Magento 2 Security Patch Tracker

Security update available for Adobe Commerce | APSB25-50

Fixes multiple vulnerabilities including XSS, server-side request forgery, and improper input validation. Adobe is not aware of any exploits in the wild but recommends prioritising this patch.

Security update available for Adobe Commerce | APSB25-08

Critical-severity update addresses arbitrary file system read and authentication bypass. Apply immediately on internet-facing installs.

Security update available for Adobe Commerce | APSB24-73

Multiple vulnerabilities, the most severe of which could result in arbitrary code execution. Affects every supported Adobe Commerce + Magento Open Source line.

CosmicSting: XXE in REST API (CVE-2024-34102) | APSB24-40

Critical XXE vulnerability in the REST API allows unauthenticated attackers to read arbitrary files including the encrypted env.php key — leading to full session hijack and remote code execution. Widely exploited in the wild within days of disclosure. Mass-scanned by botnets; emergency patching mandatory.

Security update available for Adobe Commerce | APSB24-18

Multiple vulnerabilities resulting in arbitrary code execution, security feature bypass, and privilege escalation. Includes a critical pre-auth chain affecting the storefront API.

XSLT pre-auth code execution | APSB23-35

Pre-authenticated remote code execution via the XSLT processor's external entity handling. Critical — exploitable from the public internet without credentials. Adobe shipped this out-of-band.

TrojanOrders pre-auth RCE (CVE-2022-24086) | APSB22-12

Improper input validation in the checkout flow allows unauthenticated attackers to execute arbitrary code via crafted email-template inputs. Mass-exploited via the 'TrojanOrders' campaign within 48 hours of disclosure — every unpatched store is presumed compromised. Adobe shipped APSB22-13 a week later as a follow-up to widen the fix.