Security
Magento security best practices, vulnerability patches, and hardening techniques for Adobe Commerce and Magento Open Source.
-
https://github.com/infinri/A.S.E
CLI that polls KEV, NVD, GHSA, OSV, and Packagist, filters results against your composer.lock, and scores with CVSS/EPSS/KEV. Sends only P0/P1 alerts to Slack and returns exit codes for CI gating.
11321 Apr 2026
-
https://gist.github.com/JeroenBoersma/d5c33066d7b0a7c69736a3d0f67ac9b1
NGINX config to block the Polyshell upload exploit at the edge, denying API and media paths regardless of location rules. Includes allowlisting, Hypernode/Maxcluster setup steps, and commands to scan affected paths and logs.
07 Apr 2026
-
https://github.com/sansecio/magevulndb
Magento is an attractive target for payment skimmers and the number of attacks has increased steadily since 2015. In 2018, attackers shifted from Magento core exploits (eg, Shoplift, brute force attacks on admin passwords) to 3rd party software components. This poses a practical problem: there is no central place where one can (programmatically) find out whether a particular module version has known security issues. This repository solves that!
3621124 Mar 2026
-
https://github.com/taurus-media/module-polyshell-fix
A Magento 2 module designed to address a potential security concern related to custom options. It ensures that custom option values are correctly validated before processing, preventing unauthorized 'file' type injections.
1324 Mar 2026
-
https://github.com/markshust/magento-polyshell-patch
Mitigates the PolyShell vulnerability (APSB25-94) — an unrestricted file upload in the Magento REST API that allows attackers to upload executable files via cart item custom option file uploads.
126224 Mar 2026
-
https://github.com/LBannenberg/magento2-composer-dashboard
This module provides a dashboard inside the Magento admin to view your composer packages: What packages are installed? Are they up to date? Are there any security advisories for these packages?
111 -
https://github.com/AquiveMedia/magento2-disable-customer-upload-controller
A Magento 2 security module that disables the unauthenticated customer address file upload endpoint to protect against CVE-2025-54236 (SessionReaper) and related file upload vulnerabilities.
11614 Nov 2025
-
https://www.sdj.pw/posts/magento2-patching/
Deploying patches is simple for in-house development teams or smaller Agencies maintaining only a few stores. Manually applying patches per project is simple, but doesn’t scale well. Both from time cost and security exposure perspectives.
11 Nov 2025
-
https://www.sdj.pw/posts/magento2-session-reaper-cve-2025-54236/
How to guide on checking if your Magento 2 store is safe from the Session Reaper (CVE-2025-54236) exploit. And guidance on how to patch and secure your site if it is not.
11 Nov 2025
-
https://maxchadwick.xyz/blog/shutting-down-file-upload-controllers-for-session-reaper-is-futile
Since Searchlight Cyber published a technical write up and proof-of-concept for the SessionReaper vulnerability, attackers have been mass scanning Magento / Adobe Commerce stores for vulnerable targets. The first phase of the attack involves uploading a payload containing malicious session data to the server.
11 Nov 2025
