On March 10, 2026, Adobe released a security update for Adobe Commerce and Magento Open Source. Adobe Commerce Security Update APSB25-05 addresses the critical, important and moderate vulnerabilities that could lead to security feature bypass, privilege escalation, application denial-of-services, arbitrary file system read, and arbitrary code execution.
Major Updates in this Version
PHPUnit Upgrade Support for Backporting a Fix from 2.4.7
Adobe Commerce 2.4.6 now supports newer secure versions of PHPUnit by validating compatibility with updated sebastian/comparator:^4.0 libraries. This allows merchants to safely upgrade PHPUnit through Composer while maintaining platform stability and without affecting existing Adobe Commerce functionality. This update does not affect Adobe Commerce 2.4.6 functionality or expected behavior.
MyDHL REST API Support for DHL Shipping Integration
The DHL shipping integration now includes support for MyDHL REST APIs alongside the existing DHL Express XML integration. This enhancement aligns the platform with DHLs modern API framework and prepares merchants for the future deprecation of legacy XML-based services.
Key Vulnerabilities Addressed by the Adobe Commerce Security Update
This patch addresses the following vulnerabilities:
- Cross-Site Scripting
- Incorrect Authorization
- Server-Side Request Forgery
- Improper Limitation of a Pathname to a Restricted Directory
- Improper Input Validation
- URL Redirection to Untrusted Site (‘Open Redirect’)
These issues cause critical risks, making it essential for Adobe Commerce users to act immediately by applying the update to prevent potential security breaches.
Versions Affected by the Adobe Commerce Security Update
The update impacts various versions of Adobe Commerce and Magento Open Source, including:
- Adobe Commerce: 2.4.9-alpha3 and earlier, 2.4.8-p3 and earlier, 2.4.7-p8 and earlier, 2.4.6-p13 and earlier, 2.4.5-p15 and earlier, 2.4.4-p16 and earlier.
- Adobe Commerce B2B: 1.5.3-alpha3 and earlier, 1.5.2-p3 and earlier, 1.4.2-p8 and earlier, 1.3.5-p13 and earlier, 1.3.4-p15 and earlier, 1.3.3-p16 and earlier.
- Magento Open Source: 2.4.9-alpha3, 2.4.8-p3 and earlier, 2.4.7-p8 and earlier, 2.4.6-p13 and earlier, 2.4.5-p15 and earlier.
Products Affected by the Adobe Commerce Security Update
The update impacts different digital products of Adobe Commerce/Magento Open Source, including:
- Adobe Commerce: 2.4.9-beta1 for 2.4.9-alpha3, 2.4.8-p4 for 2.4.8-p3 and earlier, 2.4.7-p9 for 2.4.7-p8 and earlier, 2.4.6-p14 for 2.4.6-p13 and earlier, 2.4.5-p16 for 2.4.5-p15 and earlier, 2.4.4-p17 for 2.4.4-p16 and earlier.
- Adobe Commerce B2B: 1.5.3-beta1 for 1.5.3-alpha3, 1.5.2-p4 for 1.5.2-p3 and earlier, 1.4.2-p9 for 1.4.2-p8 and earlier, 1.3.5-p14 for 1.3.5-p13 and earlier, 1.3.4-p16 for 1.3.4-p15 and earlier, 1.3.3-p17 for 1.3.3-p16 and earlier.
- Magento Open Source: 2.4.9-beta1 for 2.4.9-alpha3, 2.4.8-p4 for 2.4.8-p3 and earlier, 2.4.7-p9 for 2.4.7-p8 and earlier, 2.4.6-p14 for 2.4.6-p13 and earlier, 2.4.5-p16 for 2.4.5-p15 and earlier.
Recommended Action
Adobe strongly recommends that users apply the patch quickly to enhance security and minimize exposure to vulnerabilities.
How to Install the Update
Step 1: Download the relevant patch files.
Step 2: Install the security patch on a staging platform first.
Step 3: Verify the installation by checking the patch status using the provided tools.
Step 4: Deploy the update on the live platform after confirming stability on staging.
To enhance the solution’s security and mitigate feature security threats, businesses should take actions like:
- Update the Software
- Implement Strong Access Controls
- Monitor for Suspicious Activities
ioVista, an Adobe Commerce certified partner, helps you implement the latest security patch without disturbing your ongoing eCommerce operations. Connect with our certified experts to install this update.