Adobe Just Released a Critical Magento Security Patch (APSB26-73) — Don’t Ignore This One

logo logo

Adobe pushed out a new security bulletin yesterday — APSB26-73, dated July 14, 2026 — and it’s not a light maintenance release. This one covers 14 vulnerabilities across. Adobe Commerce and Magento Open Source, with 8 of them rated Critical. The highest-severity issue carries a CVSS score of 9.6 out of 10.

If you’re running any version ofAdobe Commerce or Magento Open Source and haven’t applied this patch yet, this post is for you. We’ve gone through every vulnerability in the bulletin, translated the technical language into plain English, and laid out exactly why each issue matters for your store — and what happens if you leave it unpatched.

Let’s get into it

APSB26-73 is Adobe’s July 2026 security update forAdobe Commerce and Magento Open Source. It resolves critical, important, and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, privilege escalation, and security feature bypass.

The good news is that Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates — at the time of writing. But if you’ve been following Magento security this year, you know that window closes fast. PolyShell went from disclosure to mass automated exploitation in 72 hours. This patch needs to go in now, before someone builds the tooling

The following products and versions are affected:

  • Adobe Commerce — 2.4.9, 2.4.8-p5 and earlier, 2.4.7-p10 and earlier, 2.4.6-p15 and earlier, 2.4.5-p17 and earlier, 2.4.4-p18 and earlierList Item 1
  • Adobe Commerce B2B — 1.5.3, 1.5.2-p5 and earlier, 1.4.2-p10 and earlier, 1.3.4-p17 and earlier, 1.3.3-p18 and earlier
  • Magento Open Source — 2.4.9, 2.4.8-p5 and earlier, 2.4.7-p10 and earlier, 2.4.6-p15 and earlier
  • Adobe Commerce Events — versions 1.6.0 to 1.20.0

Adobe recommends users update their installation to the newest version. The updated versions are:

  • Adobe Commerce — 2.4.9-2026-jul, 2.4.8-2026-jul, 2.4.7-2026-jul, 2.4.6-2026-jul,
    2.4.5-2026-jul, 2.4.4-2026-jul
  • Adobe Commerce B2B — 1.5.3-2026-jul, 1.5.2-2026-jul, 1.4.2-2026-jul, 1.3.4-2026
    jul, 1.3.3-2026-jul
  • Magento Open Source — 2.4.9-2026-jul, 2.4.8-2026-jul, 2.4.7-2026-jul, 2.4.6-2026
    jul
  • Adobe Commerce Events — 1.21.0

Find your version in that list and apply the corresponding July patch. If you’re on 2.4.4 or 2.4.5, note that these versions are approaching or past their end of support — the July patch buys you time, but an upgrade to a current supported version needs to be on your roadmap.

This is the part most security blogs gloss over with a table and move on. We’re not going to do that. These vulnerabilities affect real things on your store — your customers, your data, your revenue. Here’s what each category means in plain language.

An unrestricted file upload flaw means an attacker can upload a dangerous file — like an executable PHP script — to your server, bypassing the checks that are supposed to prevent it. The attacker doesn’t need to be logged in. No authentication required. No admin access needed. Anyone on the internet can attempt this.

Sound familiar? It should. This is essentially the same category of vulnerability as PolyShell — the exploit that tore through Magento stores in March 2026 with fully automated mass attacks within 72 hours of disclosure. The difference is that PolyShell had a CVSS score of 9.1. This one scores 9.6.

What happens if exploited: An attacker uploads a malicious file to your server. Depending on your server configuration, they can then execute that file remotely — gaining full control of your Magento installation. From there, they can steal your entire customer database, install payment skimmers on your checkout page, plant backdoors that survive reinstalls, create hidden admin accounts, and leave your store as an attack vector for months without you knowing

Why you must patch this immediately: A CVSS score of 9.6 with no authentication required is about as bad as it gets. The fact that no known exploit exists right now doesn’t mean one won’t exist tomorrow. This is exactly the kind of vulnerability attackers build automated tooling for — because it works on every unpatched store without exception.

Improper encoding or escaping of output is a vulnerability where data that should be treated as plain text gets interpreted as executable code. An attacker who has admin credentials — or who has compromised an admin account through another means — can craft a webhook payload that, when processed, executes arbitrary code on your server.

What happens if exploited: A compromised or malicious admin user triggers a specially crafted webhook. The server processes it and executes the embedded code. From this point, the attacker has the same level of access as the server itself — full control over your application.

Why this matters even with admin authentication required: It’s tempting to dismiss vulnerabilities that require admin credentials — “we control who has admin access.” But in practice, admin credentials get phished, reused from breached services, or stolen through previous vulnerabilities. This kind of flaw turns a compromised admin account into a full server takeover. The two issues compound each other.

Stored XSS is one of the nastiest web security vulnerabilities because it persists. Unlike reflected XSS that requires tricking a user into clicking a specific link, stored XSS means malicious code gets saved into your database and executes automatically every time someone loads the affected page.

CVE-2026-47994 affects standard stores. CVE-2026-47995 is flagged specifically for B2B deployments.

What happens if exploited: An attacker injects malicious JavaScript into a field that gets stored and displayed — a product description, a customer review, a CMS block, a B2B quote field. Every admin user or customer who views that content has the script execute in their browser. For admin users, this means session hijacking — the attacker captures the admin session token and can now operate as that admin without needing the password. For customers on affected pages, their session data, form inputs, and payment details can be captured silently.

Why stored XSS is particularly dangerous: It’s invisible. There’s no warning, no error, no popup. The malicious script runs silently in the background. Admins go about their day not knowing their session has been hijacked. Customers check out not knowing their card details are being skimmed. The attack can persist for weeks before anyone notices — if they notice at all.

Authorization vulnerabilities mean the system isn’t correctly checking whether someone is allowed to do what they’re trying to do. CVE-2026-47988 and CVE-2026- 47984 are particularly alarming because they require no authentication — any anonymous visitor to your store can potentially trigger them.

What happens if exploited: Depending on the specific flaw, unauthorized users can access restricted data, perform actions that should require admin privileges, read sensitive customer or order information, or bypass payment and access controls. CVE2026-47988, with a CVSS of 8.6 and no authentication required, is the most concerning of the three — a completely unauthenticated attacker can bypass security features on your live store.

Why authorization flaws are underestimated: Authorization bugs don’t always look dramatic. There’s no server crash, no obvious error. An attacker just… accesses something they shouldn’t. Your store looks completely normal. Meanwhile, customer data is being read, pricing logic is being bypassed, or order information is being exfiltrated silently.

Input validation failures occur when the application doesn’t properly check or sanitize data before processing it. An admin user — or an attacker who has obtained admin credentials — can send maliciously crafted input that the system processes without adequate checks, leading to privilege escalation.

What happens if exploited: A malicious admin user or compromised admin account can escalate their own access level beyond what their role should permit, execute serverlevel operations they shouldn’t have access to, or cause application behaviour that creates further vulnerabilities.

Two more authorization failures, both rated Important with a CVSS of 5.9. Both require
no authentication. Their impact is specifically flagged as high confidentiality impact —
meaning sensitive data can be read by unauthorized parties.

What happens if exploited: Customer personally identifiable information, order data, pricing information, or account details can be accessed by unauthenticated users. For stores subject to GDPR, PCI DSS, or other data protection regulations, an unauthorized data exposure — even without financial theft — constitutes a reportable breach.

Additional stored XSS vulnerabilities with lower CVSS scores — because they require authentication to trigger — but the impact is still meaningful. Malicious scripts injected by a lower-privilege authenticated user can still execute in admin browsers, leading to session hijacking and further privilege escalation.

An open redirect vulnerability means your store’s URL can be used as a stepping stone to redirect users to any external website — including phishing pages that mimic your store. Attackers craft URLs like yourstore.com/redirect?url=malicioussite.com and use them in phishing emails that appear to link to your legitimate store.

What happens if exploited: Customers receive emails appearing to be from your store, click a link that uses your domain, and get redirected to a phishing page that harvests their credentials or payment details. The attack is particularly convincing because the initial URL genuinely belongs to your store. Your brand trust becomes the attack vector.

Under specific conditions, technical information about your Magento installation — configuration details, version information, or internal data — can be exposed to unauthenticated users. This information is used by attackers for reconnaissance — understanding your setup to target subsequent attacks more precisely

CVETypeSeverityCVSSAuth RequiredAdmin Required
CVE-2026- 48356Unrestricted File Upload🔴 Critical9.6NoNo
CVE-2026- 48358Improper Output Encoding (Webhooks)🔴 Critical9.1YesYes
CVE-2026- 47994Stored XSS🔴 Critical8.7YesYes
CVE-2026- 47988Incorrect Authorization🔴 Critical8.6NoNo
CVE-2026- 47984Incorrect Authorization🔴 Critical8.2NoNo
CVE-2026- 47995Stored XSS (B2B)🔴 Critical8.1YesYes
CVE-2026 47996Incorrect Authorization🔴 Critical 7.6 YesYes
CVE-2026 47992Improper Input Validation 🔴 Critical7.2YesYes
CVE-2026 47997Incorrect Authorization🟠 Important5.9NoNo
CVE-2026 47998Incorrect Authorization🟠 Important5.9NoNo
CVE-2026 48371Stored XSS 🟠 Important5.4YesYes
CVE-2026 47999Stored XSS 🟠 Important4.8YesYes
CVE-2026 48000Open Redirect 🟡 Moderate4.3YesYes
CVE-2026 48001Information Exposure🟡 Moderate3.7NoNo

We know how it goes. A new security bulletin lands, you add it to the backlog, you plan to get to it next sprint, and two months later it’s still sitting there.

That approach worked years ago. It doesn’t work anymore.

Look at the pattern from 2026 alone: PolyShell (APSB25-94, CVSS 9.1) — mass automated exploitation within 72 hours of disclosure. Before that, SessionReaper exploited hundreds of stores within days. These are not theoretical warnings. These are documented, real-world attacks on real stores processing real customer payments.

APSB26-73 includes a CVSS 9.6 unauthenticated file upload vulnerability — more severe than PolyShell. Three more unauthenticated vulnerabilities sit alongside it. The moment someone publishes working exploit code — and for vulnerabilities of this severity, someone always does — your unpatched store is a target.

The cost of a breach is not just the incident response bill. It’s customer trust you don’t get back, regulatory penalties under GDPR or PCI DSS, chargebacks from stolen payment data, and the reputational damage of being the store that exposed its customers. No patch timeline is worth that risk.

  • Step 1: Find your current version Log into your Magento admin, go to System → About Magento, and note your exact version number.
  • Step 2: Apply the patch in staging first Never push a security patch directly to production. Apply the July patch on a staging environment that mirrors your production setup, run your core checkout and payment flows, verify your integrations, and confirm nothing breaks.
  • Step 3: Deploy to production with a rollback plan Schedule your production deployment during a low-traffic window — early morning works well. Apply the patch, run smoke tests on checkout, search, and account creation, and watch your error logs closely for the first few hours.
  • Step 4: Don’t forget B2B If you’re running Adobe Commerce B2B, apply the B2B July patch immediately after the core patch. The B2B patch is not optional — the core patch alone does not close CVE-2026-47995 (the B2B-specific stored XSS).
  • Step 5: Update Adobe Commerce Events If your store uses Adobe Commerce Events, upgrade to version 1.21.0. Any version from 1.6.0 to 1.20.0 is listed as affected in this bulletin.
  • Step 6: Scan for existing compromise indicators Given the severity of the vulnerabilities in this bulletin — particularly the unauthenticated file upload and authorization bypasses — run a malware scan after patching. Look for unexpected PHP files in pub/media/, pub/static/, and your root directory. Check your admin user list for accounts you don’t recognise. Review recent file modification timestamps.

Security patches on live Magento stores are not one-click updates. They require environment preparation, compatibility testing across your custom code and extensions, careful production deployment, and post-patch verification. If any of that sounds like more than your team can handle on short notice, we’re here.

At Aims Infosoft, our Magento-certified developers have been applying security patches for over a decade. We handle the full process — staging preparation, patch application, compatibility testing, production deployment, and monitoring. Most standard patch deployments are completed within 24–48 hours.

Don’t leave your store exposed while you figure out the timeline.

👉 Get a Free 2.4.9 Upgrade Consultation from Aims Infosoft →

Aims Infosoft — #1 Magento Solutions Provider | 10+ Years | 50,000+ Stores Served | 52+ Products | 12+ Extensions

Source: https://experienceleague.adobe.com/en/docs/commerce-operations/release/notes/adobe-commerce/2-4-9

Author Image

Kamlesh Prajapati

Kamlesh Prajapati is the CEO of Aims Infosoft, a technology-driven company specializing in innovative digital solutions and eCommerce development. With extensive experience in business strategy, technology consulting, and team leadership, he is passionate about helping businesses leverage modern technologies to achieve scalable growth. His expertise spans across project execution, client engagement, and building sustainable digital ecosystems. Kamlesh actively contributes to discussions around entrepreneurship, IT innovation, and business transformation.

Related Posts

A Word From Our Proud Clients

See what our most successful clients have to say about working with us...