Security
Magento security best practices, vulnerability patches, and hardening techniques for Adobe Commerce and Magento Open Source.
-
https://github.com/DeployEcommerce/module-prevent-customer-address-file-upload
This is a Magento 2 extension that prevents file uploads to /customer/address_file/upload endpoint which is used in combination with an flaw in Magento's logic to upload code and then execute it for CVE-2025-54236.
1811 Nov 2025
-
https://slcyber.io/assetnote-security-research-center/why-nested-deserialization-is-still-harmful-magento-rce-cve-2025-54236/
A recent vulnerability in Adobe's e-commerce platform, identified as CVE-2025-54236, poses risks of remote code execution, particularly through file-based session storage, which can be exploited by unauthenticated users. The article analyzes the patch related to this vulnerability, its deserialization mechanisms, and offers insights into potential exploitation methods and vulnerabilities remaining in the application. The narrative provides a deep dive into the exploit chain and necessary payloads while exploring the implications of session management and type handling in the context of security.
28 Oct 2025
-
https://magebean.com/
Magebean provides a security audit tool that helps identify vulnerabilities in a web application, highlighting critical, high, and medium issues. An example report indicates outdated core software, default admin routes, and permission misconfigurations. For more details and download options, visit their website.
-
https://github.com/hyva-themes/magento2-optimized-csp-allowlist
This project enhances the security framework of your online store by fine-tuning the Content Security Policy (CSP). It specifically reduces risks associated with unnecessary domain allowances that can lead to XSS vulnerabilities, ensuring safer loading of resources. With this extension, domains in the csp_whitelist.xml files are managed more effectively to improve overall security.
31729 Jul 2025
-
https://github.com/Pixel-Open/magento-cloudflare-turnstile
Turnstile is Cloudflare's smart CAPTCHA alternative. The module allows Turnstile to protect your Magento OpenSource or Adobe Commerce forms.
95427 May 2025
-
https://github.com/olivertar/m2_checkip
This module for Magento 2 allows you to block bots and reported IPs that consume your server resources and degrade your site's performance. It includes blacklists, whitelists, and a tool that lets you analyze logs to find out which bots are visiting your site. Don't try to replace WAF or Cloudflare, it's just another resource.
110 -
https://apedik.dev/blog/post/magento-admin-2fa-automatically-filled-in-with-1password-no-more-external-tools.html
Tired of manually copying codes from an authenticator app every time you log in to Magento Admin? With 1Password, you can store both your credentials and your 2FA code (TOTP) in one place. Once configured, 1Password will automatically fill in everything — including the 2FA field — without the need for external tools.
07 May 2025
-
https://github.com/kiwicommerce/magento2-admin-activity
Easily track every admin activity like add, edit, delete, print, view, mass update etc. Failed attempts of admin login are recorded as well. You get access to the user’s login information and IP address. Track page visit history of admin. Track fields that have been changed from the backend. Allow administrator to revert the modification.
93102 -
https://www.develodesign.co.uk/learn/five-ways-to-improve-magento-admin-security
Securing your administrative interfaces is more critical than ever. Many Magento installations suffer from poorly configured security that leave your entire system vulnerable. Here are 5 quick yet powerful ways to strengthen your Magento admin security that should be standard practice.
06 May 2025
-
https://github.com/genecommerce/module-encryption-key-manager
This module was built to help you with rotation your encryption keys.
178129 Apr 2025
