security
-
https://github.com/yellowteak/magento2-change-customer-password
Adds a Change Password tab to the customer edit page in admin so support can reset a customer's password with re-auth confirmation. Includes composer install, enablement, and configuration steps.
2601 Jun 2026
-
https://github.com/graycoreio/github-actions-magento2
Prebuilt CI pipelines (MageCheck Extension/Store) plus individual actions for setup, caching, version detection, coding standards, DI compile, and Sansec eComscan. Plug them into your repo to run quality checks and installs on GitHub with minimal configuration.
167001 Jun 2026
-
https://github.com/Vendic/magento2-recently-viewed-limit
Caps recently viewed items at 10 on client and server. Trims localStorage and truncates sync requests to prevent bloated storage, huge POSTs, and database hammering, mitigating a simple DoS vector.
1218 May 2026
-
https://github.com/DeployEcommerce/module-prevent-order-placement
Adds an admin-managed ruleset that blocks checkout when billing or shipping data matches configured fragments (street, city, county, postcode, phone), using case-insensitive substring and digit-only phone matching. Includes an audit log of blocked attempts, a per-store kill switch, and an inline rule-impact preview based on recent orders and quotes.
1318 May 2026
-
https://github.com/mage2sk/module-malware-scanner
Signature-based scanner and file integrity monitor with quarantine, an admin findings grid, scheduled scans, and email alerts. Includes request-time guards for uploads, REST, and GraphQL to block webshells, polyglots, and other payloads before they reach disk.
2504 May 2026
-
https://www.samdjames.uk/blog/copy-fail-cve-2026-31431/
Explains the AF_ALG kernel bug that allows any local user to escalate to root. Provides an emergency mitigation (disable algif_aead with an Ansible snippet) and advises updating to patched kernels.
-
https://github.com/infinri/A.S.E
CLI that polls KEV, NVD, GHSA, OSV, and Packagist, filters results against your composer.lock, and scores with CVSS/EPSS/KEV. Sends only P0/P1 alerts to Slack and returns exit codes for CI gating.
11521 Apr 2026
-
https://gist.github.com/JeroenBoersma/d5c33066d7b0a7c69736a3d0f67ac9b1
NGINX config to block the Polyshell upload exploit at the edge, denying API and media paths regardless of location rules. Includes allowlisting, Hypernode/Maxcluster setup steps, and commands to scan affected paths and logs.
07 Apr 2026
-
https://github.com/sansecio/magevulndb
Magento is an attractive target for payment skimmers and the number of attacks has increased steadily since 2015. In 2018, attackers shifted from Magento core exploits (eg, Shoplift, brute force attacks on admin passwords) to 3rd party software components. This poses a practical problem: there is no central place where one can (programmatically) find out whether a particular module version has known security issues. This repository solves that!
3621124 Mar 2026
-
https://github.com/taurus-media/module-polyshell-fix
A Magento 2 module designed to address a potential security concern related to custom options. It ensures that custom option values are correctly validated before processing, preventing unauthorized 'file' type injections.
1324 Mar 2026