MageSmith

Magento 2 Security Patch Tracker

Adobe Security Bulletins for Adobe Commerce + Magento Open Source — searchable, with version-safe checks.

Browse bulletins → ← All tools
Magento 2 Security Patch Tracker screenshot

What Magento 2 Security Patch Tracker does

  • Every published Adobe Security Bulletin (APSBxx-yy) for Adobe Commerce + Magento Open Source — APSB22-12 (TrojanOrders), APSB24-40 (CosmicSting), and the rolling quarterly cadence
  • Severity badges (critical / important / moderate) and one-click filter chips so you can scan only the must-patch issues
  • 'Is my version safe?' form — paste 2.4.6-p3 (etc.) and get every outstanding bulletin that still applies, plus the fixed-in version to upgrade to
  • Per-bulletin page with affected + fixed version ranges, CVE references that link out to NVD, and the official Adobe bulletin URL
  • Operator notes call out when a fix isn't enough — e.g. CosmicSting required env.php key rotation in addition to patching
  • Searchable by APSB ID, CVE prefix (CVE-2024…), or free-text keyword (CosmicSting, RCE, XSS)

How it works

1

Find the bulletin

Search by APSB ID, CVE, or keyword. Filter to critical-only when triaging an emergency.

2

Check your version

Use the 'Is my version safe?' form on the index — paste your Magento version, see every outstanding bulletin and which fixed version to upgrade to.

3

Read + remediate

Each bulletin links to the Adobe page, the affected and fixed version ranges, CVE details, and operator notes (e.g. 'rotate env.php key' for CosmicSting).

Frequently asked about Magento 2 Security Patch Tracker

How fresh is the catalogue? +

It's a hand-curated mirror of Adobe Security Bulletins, refreshed when MageSmith ships new versions. Always cross-check against Adobe's own page (linked from every bulletin) before treating it as authoritative — especially within the first 48 hours of a new bulletin.

Why not pull live from Adobe? +

Adobe doesn't publish a structured feed of bulletins, only HTML pages. Scraping risks breakage. The hand-curated catalogue trades freshness for trustworthy structured data — IDs, severity, version ranges, CVEs.

What does the 'is my version safe?' check actually compare? +

Suffix-match against each bulletin's AffectedVersions list, then compare your version against the corresponding FixedVersions on the same major.minor.patch track. If your patch suffix (-pNN) is at-or-above the fixed level, the bulletin is marked patched; otherwise outstanding.

Are Adobe Commerce-only patches included? +

Yes. Adobe ships unified bulletins covering both editions; they're listed against both products. The catalogue notes which products each bulletin affects.

Where do CVE links go? +

Each CVE is a chip linking to the NVD detail page (nvd.nist.gov). Adobe's bulletin pages also list CVEs but NVD has the full CVSS score + reference list.

Can I get a feed when new bulletins drop? +

RSS isn't wired yet. The catalogue is rebuilt on each MageSmith release; follow @magepsycho for release announcements that include security catalogue updates.

Related tools

Magento 2 Code Audit thumbnail

Magento 2 Code Audit

LLM-powered audits that surface real issues in your Magento module in minutes.

Learn more →

Warden Env for Magento 2 thumbnail

Warden Env for Magento 2

One-click .env for Warden, matched to the Adobe-tested runtime matrix.

Learn more →

Every Magento dev tool, in one hosted workspace.

Free to sign up. Nothing to install. Drafts, audits, and projects saved across every tool.

Open app →