Keeping the Magento system safe and protected requires significant monitoring efforts to promptly identify vulnerabilities and secure your store. Adobe Commerce does this monitoring job for you, regularly releasing security patches after a vulnerability has been detected – all that’s left for you is to take measures. Or ask yours truly to install security patches on your Magento website ;)
In this post, the Amasty team has collected the list of Magento security patches available at the moment for all Magento 2 versions, issued since 2024 till 2026.
New patches will be added to the list as soon as they are released.
Important:
On March 17, 2026, a new critical Magento vulnerability, PolyShell, was detected by Sansec. The issue affects all versions up to 2.4.9-alpha2 and allows unauthenticated attackers to upload executable files via the REST API. Depending on server configuration, this may lead to risks such as remote code execution (RCE) or account takeover.
While there is no official Adobe patch available for production versions, you can still take measures to protect your store:
Review your store for potential exposure
Restrict access to sensitive upload directories
Check your server configuration for possible risks
Magento Security Patches Calendar
Patch | Originally posted | Last updated |
03/10/2026 | 03/10/2026 | |
10/14/2025 | 10/16/2025 | |
09/09/2025 | 10/24/2025 | |
08/12/2025 | 08/12/2025 | |
06/10/2025 | 06/25/2025 | |
04/8/2025 | 04/8/2025 | |
02/11/2025 | 04/16/2025 | |
10/08/2024 | 10/08/2024 | |
08/13/2024 | 08/13/2024 | |
06/11/2024 | 07/12/2024 | |
04/09/2024 | 06/26/2024 | |
02/13/2024 | 06/26/2024 |
APSB26-05: Security update available for Adobe Commerce
Published: March 10, 2026
Priority Rating: 2 (important)
APSB26-05 security update addresses multiple critical, important, and moderate vulnerabilities within Adobe Commerce and Magento Open Source. Vulnerabilities like privilege escalation, arbitrary code execution, and file system exposure can significantly compromise the integrity and security of the affected store environments.
Privilege escalation: Attackers could gain unauthorized elevated access.
Arbitrary code execution: This could allow the execution of code on vulnerable systems, enabling attackers to take control of the server.
File system exposure: Unauthorized users might gain access to sensitive files on the server.
Affected versions:
Adobe Commerce: ≤ 2.4.9‑alpha3, ≤ 2.4.8‑p3, ≤ 2.4.7‑p8, ≤ 2.4.6‑p13, ≤ 2.4.5‑p15, ≤ 2.4.4‑p16
Magento Open Source: ≤ 2.4.9‑alpha3, ≤ 2.4.8‑p3, ≤ 2.4.7‑p8, ≤ 2.4.6‑p13, ≤ 2.4.5‑p15
What was fixed:
APSB26-05 update resolves critical vulnerabilities that could lead to privilege escalation and arbitrary code execution. Attackers might be able to bypass security mechanisms, gain admin-level access, and run malicious code remotely, affecting the store's functionality and data integrity.
APSB25-94: Security update available for Adobe Commerce
Published: October 14, 2025 (updated 10/16/2025)
Priority Rating: 2 (important)
Adobe's APSB25-94 security update resolves several critical, important, and moderate vulnerabilities that affect Adobe Commerce and Magento Open Source. The most critical issue involves privilege escalation, allowing attackers to perform actions that should only be permitted to administrators.
Privilege escalation (CSRF): Attackers can use cross-site request forgery to escalate their permissions to admin levels, giving them unauthorized control over the site.
Arbitrary code execution: Exploiting this vulnerability could allow remote attackers to execute their code on vulnerable systems.
Affected versions:
Adobe Commerce: ≤ 2.4.9‑alpha2, ≤ 2.4.8‑p2, ≤ 2.4.7‑p7, ≤ 2.4.6‑p12, ≤ 2.4.5‑p14
Magento Open Source: ≤ 2.4.9‑alpha2, ≤ 2.4.8‑p2, ≤ 2.4.7‑p7, ≤ 2.4.6‑p12, ≤ 2.4.5‑p14
What was fixed:
The vulnerabilities in this update include privilege escalation, arbitrary code execution, and file system exposure. These flaws could allow attackers to gain higher access rights than they are authorized to, leading to unauthorized access to sensitive data, loss of control over the site, or a complete compromise of the server.
APSB25-88: Security update available for Adobe Commerce
Published: September 9, 2025 (updated 10/24/2025)
Priority Rating: 1 (critical)
This release addresses a critical vulnerability, SessionReaper (CVE‑2025‑54236), which allows unauthorized access to sensitive endpoints through the REST API, bypassing authentication mechanisms. This flaw has been actively exploited in the wild and can lead to unauthorized access to sensitive data.
Improper authentication: Attackers can bypass authentication and access user accounts, including sensitive personal data or business transactions.
Arbitrary code execution: Once authentication is bypassed, attackers can perform unauthorized actions, including taking over accounts or manipulating sensitive site functionality.
Affected versions:
Adobe Commerce: ≤ 2.4.9‑alpha2, ≤ 2.4.8‑p2, ≤ 2.4.7‑p7, ≤ 2.4.6‑p12, ≤ 2.4.5‑p14
Magento Open Source: ≤ 2.4.9‑alpha2, ≤ 2.4.8‑p2, ≤ 2.4.7‑p7, ≤ 2.4.6‑p12, ≤ 2.4.5‑p14
What was fixed:
The most severe vulnerability in this update is related to REST API endpoints, where the authentication bypass could be exploited to access restricted areas. Once exploited, attackers can take over user accounts and perform malicious activities, like sending fraudulent orders or exposing personal customer data. This issue is critical as it enables attacks to occur without user credentials.
APSB25-71: Security update available for Adobe Commerce
Published: August 12, 2025
Priority Rating: 2 (important)
This update addresses vulnerabilities related to unauthorized file system access, privilege escalation via CSRF, and denial-of-service (DoS) attacks. These vulnerabilities could lead to attackers gaining higher-level access to your store, accessing sensitive information, or disrupting service availability.
Unauthorized file system access: An attacker could access server files that should be protected, leading to the potential exposure of sensitive data such as customer details or configuration files.
Privilege escalation (CSRF): Attackers can bypass intended user restrictions and gain access to functionality that should only be accessible to administrators.
Denial-of-service (DoS): Attackers can exploit these flaws to create conditions that slow down or take your website offline, affecting the user experience and business operations.
Affected versions:
Adobe Commerce: ≤ 2.4.8‑p2, ≤ 2.4.7‑p7, ≤ 2.4.6‑p13, ≤ 2.4.5‑p15, ≤ 2.4.4‑p16
Magento Open Source: ≤ 2.4.8‑p2, ≤ 2.4.7‑p7, ≤ 2.4.6‑p13, ≤ 2.4.5‑p15
What was fixed:
This release provides patches for unauthorized file system access, which is a significant security risk if attackers gain access to private store files. Additionally, CSRF vulnerabilities could allow malicious actors to escalate their privileges, gaining admin-like access. This could result in unauthorized configuration changes or data manipulation.
APSB25-50: Security update available for Adobe Commerce
Published: June 10, 2025 (updated 06/25/2025)
Priority Rating: 1 (critical)
This security update addresses several critical vulnerabilities, including those that could allow arbitrary code execution and cross-site scripting (XSS). These flaws impact the core components of Adobe Commerce and Magento Open Source and can have serious consequences if left unpatched.
Arbitrary code execution: Exploiting this vulnerability could allow an attacker to run code on the server, potentially gaining full control of the platform.
XSS vulnerabilities: These issues allow attackers to inject malicious scripts that run within the context of a legitimate user session, allowing for the theft of session cookies, or redirection to phishing pages.
Affected versions:
Adobe Commerce: ≤ 2.4.8‑p4, ≤ 2.4.7‑p9, ≤ 2.4.6‑p14
Magento Open Source: ≤ 2.4.8‑p4, ≤ 2.4.7‑p9, ≤ 2.4.6‑p14
What was fixed:
The update addresses two critical issues: arbitrary code execution and XSS vulnerabilities. If exploited, these flaws can allow attackers to take over a website, access sensitive data, and inject malicious code.
APSB25-26: Security update available for Adobe Commerce
Published: April 8, 2025
Priority Rating: 2 (important)
This update addresses multiple critical and important vulnerabilities in Adobe Commerce and Magento Open Source. The most notable issues include security feature bypass, privilege escalation, and denial‑of‑service (DoS) vulnerabilities. These vulnerabilities can potentially allow attackers to bypass security restrictions or escalate their privileges, gaining unauthorized access to the system.
Security feature bypass: Attackers could bypass security controls that protect sensitive operations, leading to unauthorized actions.
Privilege escalation: Attackers can increase their access rights, potentially performing actions only allowed for admin users.
Denial-of-service (DoS): Attackers can exploit vulnerabilities to cause service disruptions or slowdowns, affecting site availability.
Affected versions:
Adobe Commerce: ≤ 2.4.8‑p2, ≤ 2.4.7‑p7, ≤ 2.4.6‑p12, ≤ 2.4.5‑p14
Magento Open Source: ≤ 2.4.8‑p2, ≤ 2.4.7‑p7, ≤ 2.4.6‑p12, ≤ 2.4.5‑p14
What was fixed:
This patch addresses vulnerabilities that could allow attackers to bypass security features and escalate their privileges. Bypassing security features can lead to unauthorized actions or access to sensitive data. Privilege escalation is especially dangerous as it can allow attackers to perform admin-level tasks. The patch also addresses issues that can trigger DoS attacks, potentially disrupting the store's availability. This makes patching important to maintain system stability and protect sensitive operations.
APSB25-08: Security update available for Adobe Commerce
Published: February 11, 2025 (updated April 16, 2025)
Priority Rating: 1 (critical)
This update addresses critical vulnerabilities that can lead to arbitrary code execution and cross-site scripting (XSS) attacks. These vulnerabilities affect Adobe Commerce and Magento Open Source installations and can have severe consequences if exploited.
Arbitrary code execution: Attackers can exploit these vulnerabilities to run unauthorized code on the affected systems.
XSS vulnerabilities: These flaws allow attackers to inject malicious scripts into the platform, which could steal session cookies, perform phishing attacks, or manipulate site functionality.
Affected versions:
Adobe Commerce: ≤ 2.4.8‑p4, ≤ 2.4.7‑p9, ≤ 2.4.6‑p14
Magento Open Source: ≤ 2.4.8‑p4, ≤ 2.4.7‑p9, ≤ 2.4.6‑p14
What was fixed:
The patch resolves critical code execution vulnerabilities and XSS flaws. Arbitrary code execution can allow attackers to completely compromise a store’s server, executing commands or scripts that could damage the store or steal data. The XSS vulnerabilities could lead to session hijacking, data theft, or fraudulent transactions, making this a high-priority update for all stores running vulnerable versions.
APSB24-73: Security update available for Adobe Commerce
Published: October 8, 2024
Priority Rating: 2 (important)
APSB24-73 update addresses multiple critical, important, and moderate vulnerabilities in Adobe Commerce and Magento Open Source. These issues could result in arbitrary code execution, file system exposure, and privilege escalation.
Arbitrary code execution: Exploitation could allow attackers to execute remote code on the affected systems.
File system exposure: Sensitive data could be exposed to unauthorized parties, potentially leading to data breaches.
Privilege escalation: Attackers could elevate their privileges, gaining access to restricted areas or performing admin-only actions.
Affected versions:
Adobe Commerce: ≤ 2.4.7‑p2, ≤ 2.4.6‑p7, ≤ 2.4.5‑p9, ≤ 2.4.4‑p10
Magento Open Source: ≤ 2.4.7‑p2, ≤ 2.4.6‑p7, ≤ 2.4.5‑p9, ≤ 2.4.4‑p10
What was fixed:
The vulnerabilities fixed by this patch cover a variety of security flaws, including code execution risks and privilege escalation. Arbitrary code execution vulnerabilities pose a significant risk because they allow attackers to take full control of affected systems. Furthermore, the file system exposure flaw means that unauthorized users could gain access to sensitive data, which could compromise business operations and customer privacy. Prompt application of this update is crucial to protect the integrity of the platform.
APSB24-61: Security update available for Adobe Commerce
Published: August 13, 2024
Priority Rating: 2 (important)
This security update fixes critical vulnerabilities that could allow arbitrary code execution and file system exposure. These vulnerabilities can significantly affect the security and functionality of affected platforms.
Arbitrary code execution: Attackers could execute unauthorized code on the affected systems, potentially leading to a full compromise.
File system exposure: Unauthorized access to sensitive files could lead to data leakage or unauthorized modifications.
Affected versions:
Adobe Commerce: ≤ 2.4.7‑p1, ≤ 2.4.6‑p6, ≤ 2.4.5‑p8, ≤ 2.4.4‑p9
Magento Open Source: ≤ 2.4.7‑p1, ≤ 2.4.6‑p6, ≤ 2.4.5‑p8, ≤ 2.4.4‑p9
What was fixed:
The vulnerabilities include remote code execution risks and file system exposure. These could allow attackers to access or modify sensitive files on the server or run malicious code. Given the severity of the issues, this update should be applied immediately to mitigate potential risks to both business operations and customer data
APSB24-40: Security update available for Adobe Commerce
Published: June 11, 2024 (updated 07/12/2024)
Priority Rating: 1 (critical)
This update addresses the critical vulnerability “CosmicSting” that could allow arbitrary code execution and privilege escalation within Adobe Commerce and Magento Open Source. These vulnerabilities could result in full compromise of affected systems and unauthorized access to sensitive information.
"CosmicSting" (CVE-2024-34102) is a critical bug affecting Magento and Adobe Commerce stores, allowing cybercriminals to steal customer and payment data.
Arbitrary code execution: An attacker could execute unauthorized commands on the server, compromising the store’s infrastructure.
Privilege escalation: Attackers could gain admin-level access to restricted areas, enabling them to manipulate sensitive customer or business data.
Affected versions:
Adobe Commerce: ≤ 2.4.7, ≤ 2.4.6‑p5, ≤ 2.4.5‑p7
Magento Open Source: ≤ 2.4.7, ≤ 2.4.6‑p5, ≤ 2.4.5‑p7
What was fixed:
This update addresses multiple critical vulnerabilities within the platform that, if exploited, could give attackers full access to the store infrastructure. The most critical vulnerabilities include arbitrary code execution, which allows attackers to take full control of the server, and privilege escalation, which can allow attackers to perform unauthorized admin actions. Both issues pose a serious risk to the store’s operations and customer data, making this patch a high priority for affected systems.
APSB24-18: Security update available for Adobe Commerce
Published: April 9, 2024 (updated 06/26/2024)
Priority Rating: 3 (moderate)
Adobe issued this update to address critical vulnerabilities that could result in arbitrary code execution and privilege escalation in Adobe Commerce and Magento Open Source. The vulnerabilities could allow attackers to execute malicious code remotely or gain unauthorized access to sensitive areas of the system.
Arbitrary code execution: An attacker could exploit the vulnerabilities to run unauthorized code on the server, allowing them to gain full control of the affected system.
Privilege escalation: Attackers could elevate their privileges, granting them access to areas of the platform that should be restricted to administrators only.
Affected Versions:
Adobe Commerce: ≤ 2.4.7, ≤ 2.4.6, ≤ 2.4.5
Magento Open Source: ≤ 2.4.7, ≤ 2.4.6, ≤ 2.4.5
What Was Fixed:
The APSB24‑18 security update addresses critical vulnerabilities that allow attackers to execute arbitrary code on the server and escalate their privileges to unauthorized levels. These issues are particularly serious because they can result in attackers gaining full control over your store, potentially stealing sensitive customer data, tampering with configurations, or even taking down the store through DoS attacks.
APSB24-03: Security update available for Adobe Commerce
Published: February 13, 2024 (updated 06/ 26/2024)
Priority Rating: 3 (moderate)
Adobe released this security update to address a combination of critical, important, and moderate vulnerabilities affecting Adobe Commerce and Magento Open Source installations. These vulnerabilities relate to fundamental platform components and, if left unpatched, could undermine the security and stability of your e‑commerce store. Specifically:
Arbitrary code execution: Attackers could supply specially crafted input to make the platform run unauthorized code, potentially allowing remote compromise.
Security feature bypass: Some internal security controls could be circumvented, meaning attackers might reach functionality or data they shouldn’t be able to.
Denial‑of‑service (DoS): Certain flaws could be abused to slow down or crash the application, affecting availability for legitimate customers.
Affected versions:
Adobe Commerce: ≤ 2.4.6-p3, ≤ 2.4.5-p5, ≤ 2.4.4-p6, ≤ 2.4.3-ext-5, ≤ 2.4.2-ext-5
Magento Open Source: ≤ 2.4.6-p3, ≤ 2.4.5-p5, ≤ 2.4.4-p6
What was fixed:
APSB24-03 solves critical issues that could allow attackers to execute arbitrary code remotely if the input is mishandled by core components. Also it fixed security feature bypass conditions where intended checks or authorizations could be skipped under specific circumstances, as well as the application denial‑of‑service conditions where an attacker could send crafted requests that degrade performance or crash the system.
APSB26-05: Security update available for Adobe Commerce
Published: March 10, 2026
Priority Rating: 2 (important)
APSB26-05 security update addresses multiple critical, important, and moderate vulnerabilities within Adobe Commerce and Magento Open Source. Vulnerabilities like privilege escalation, arbitrary code execution, and file system exposure can significantly compromise the integrity and security of the affected store environments.
Privilege escalation: Attackers could gain unauthorized elevated access.
Arbitrary code execution: This could allow the execution of code on vulnerable systems, enabling attackers to take control of the server.
File system exposure: Unauthorized users might gain access to sensitive files on the server.
Affected versions:
Adobe Commerce: ≤ 2.4.9‑alpha3, ≤ 2.4.8‑p3, ≤ 2.4.7‑p8, ≤ 2.4.6‑p13, ≤ 2.4.5‑p15, ≤ 2.4.4‑p16
Magento Open Source: ≤ 2.4.9‑alpha3, ≤ 2.4.8‑p3, ≤ 2.4.7‑p8, ≤ 2.4.6‑p13, ≤ 2.4.5‑p15
What was fixed:
APSB26-05 update resolves critical vulnerabilities that could lead to privilege escalation and arbitrary code execution. Attackers might be able to bypass security mechanisms, gain admin-level access, and run malicious code remotely, affecting the store's functionality and data integrity.
Summing It Up
New vulnerabilities will appear unless the Internet ceases to exist, which is quite a pessimistic scenario. In this regard, the timely installation of Magento security patches is a perfect way to keep your store protected from hacks, breaches, and data losses. Stay tuned – as we’ve said at the beginning, we’ll be adding new security patches to this list as soon as they are released by Adobe, so feel free to make this post your handbook.
