Adobe has released a new security update, APSB26-73, for Adobe Commerce, Magento Open Source, Adobe Commerce B2B, and Adobe Commerce Events. The update addresses multiple critical, important, and moderate security vulnerabilities that could allow attackers to execute arbitrary code, escalate privileges, bypass security controls, or expose sensitive information under certain conditions.
Adobe has confirmed that it is not aware of any active exploitation in the wild for the vulnerabilities addressed in this release. Nevertheless, merchants and administrators are strongly encouraged to install the latest security updates as soon as possible to reduce risk and maintain a secure e-commerce environment.
Affected Versions
The following product versions are affected and should be updated to the latest July 2026 security releases:
- Adobe Commerce (2.4.4–2.4.9, including earlier affected patch releases),
- Adobe Commerce B2B (1.3.3–1.5.3, including earlier affected patch releases),
- Magento Open Source (2.4.6–2.4.9, including earlier affected patch releases), and
- Adobe Commerce Events (1.6.0–1.20.0).
Solution
Adobe has released updated versions for both Adobe Commerce and Magento Open Source to address these vulnerabilities. Merchants using affected versions should take the following steps:
- Adobe Commerce: 2.4.9-2026-jul, 2.4.8-2026-jul, 2.4.7-2026-jul, 2.4.6-2026-jul, 2.4.5-2026-jul, 2.4.4-2026-jul
- Adobe Commerce B2B: 1.5.3-2026-jul, 1.5.2-2026-jul, 1.4.2-2026-jul, 1.3.4-2026-jul, 1.3.3-2026-jul
- Magento Open Source: 2.4.9-2026-jul, 2.4.8-2026-jul, 2.4.7-2026-jul, 2.4.6-2026-jul
- Adobe Commerce Events: 1.21.0
Merchants should follow a structured update process:
- Verify whether the current Adobe Commerce or Magento Open Source installation is affected.
- Review release notes and compatibility requirements before upgrading.
- Apply the security update in a staging environment before production.
- Thoroughly test checkout, payment workflows, customer accounts, admin functionality, APIs, customizations, third-party extensions, and B2B features where applicable.
- Upgrade Adobe Commerce B2B and Adobe Commerce Events modules alongside the core platform if they are installed.
- After successful validation, deploy the update to the production environment.
- Continue monitoring store performance and logs after deployment to confirm normal operation.
Why This Matters
Adobe Commerce and Magento Open Source power business-critical ecommerce operations and routinely process customer accounts, payment information, and order data. Applying security patches promptly is essential to maintaining a secure and reliable storefront.
The APSB26-73 update resolves vulnerabilities that could potentially allow attackers to:
- Execute arbitrary code under certain conditions.
- Escalate privileges and gain unauthorized access to protected functionality.
- Bypass security controls through authorization weaknesses.
- Exploit stored cross-site scripting (XSS) vulnerabilities.
- Redirect users to untrusted websites.
- Access to limited sensitive information through information disclosure vulnerabilities.
Several of the vulnerabilities carry critical severity ratings with CVSS scores as high as 9.6, highlighting the importance of timely patching. While Adobe has not identified any active attacks targeting these vulnerabilities, publicly disclosed security issues are frequently analyzed by threat actors shortly after release. Delaying updates may increase the likelihood of future exploitation.
Keeping Adobe Commerce and Magento Open Source installations current helps strengthen platform security, reduce operational risk, support regulatory compliance, and protect customer trust.
Vulnerability Details
APSB26-73 addresses 14 security vulnerabilities across Adobe Commerce, Magento Open Source, Adobe Commerce B2B, and Adobe Commerce Events.
The vulnerabilities include:
- Unrestricted file upload vulnerabilities.
- Multiple incorrect authorization flaws.
- Stored cross-site scripting (XSS) vulnerabilities.
- Improper input validation.
- Improper output encoding and escaping.
- Open redirect vulnerabilities.
- Information exposure issues.
If successfully exploited, these vulnerabilities could result in privilege escalation, arbitrary code execution, security feature bypass, unauthorized access to application functionality, or limited disclosure of sensitive information. Some vulnerabilities require authenticated access or administrative privileges, while others may be exploitable without authentication, depending on the specific issue. One arbitrary code execution vulnerability specifically applies to Adobe Commerce webhooks.
Adobe has released patched versions for all supported product lines to remediate these security issues. Although no known exploitation has been reported at the time of publication, organizations should prioritize installing the July 2026 security updates to minimize exposure and maintain a secure Magento and Adobe Commerce environment.
Here’s where you can find detailed information: Adobe Security Bulletin APSB26-73.