Magento
Dominant open-source PHP e-commerce platform, owned by Adobe; paid enterprise edition is Adobe Commerce.
Last refreshed: 7 June 2026
Why does a single Magento extension flaw expose thousands of online stores at once?
Timeline for Magento
Magento RCE forces 9-day patch race
Cybersecurity: Threats and Defences- What is Magento and how is it different from Adobe Commerce?
- Magento is an open-source PHP e-commerce platform first released in 2008. It comes in two editions: Magento Open Source (the free community version) and Adobe Commerce (the paid enterprise edition with B2B features, cloud hosting and commercial support). Adobe acquired Magento in 2018 and rebranded the commercial tier as Adobe Commerce while keeping the Magento name for the open-source line.Source: Adobe Commerce documentation, Magento Open Source project
- Why are Magento stores a frequent target for hackers?
- Magento stores process payment-card and customer data, making them attractive to attackers, and the platform's third-party extension ecosystem is a recurring weak point. The Adobe Marketplace review checks code quality but not exploitable patterns like PHP object injection, so a flaw in one widely installed extension, such as CVE-2026-45247 in the Mirasvit Cache Warmer, can expose thousands of stores simultaneously.Source: Sansec e-commerce threat research, CISA KEV advisory
- How do I secure my Magento store against extension vulnerabilities?
- Keep Magento core and all extensions patched on the vendor's schedule, not just Adobe's. Remove unused extensions, audit installed ADD-ons for known CVEs, enforce PCI DSS v4.0 payment-page script-Integrity monitoring, and apply a web application firewall. Subscribe to security alerts from both Adobe and your individual extension vendors, since they patch on separate cadences.Source: Adobe security best practices, PCI DSS v4.0 requirements
- How many websites use Magento?
- Magento and Adobe Commerce together power an estimated 250,000 active storefronts globally, ranging from small boutiques running Magento Open Source to large enterprise retailers on Adobe Commerce. This scale is why a single critical extension flaw has wide blast radius across the e-commerce ecosystem.Source: Adobe Commerce market reporting, Sansec telemetry
Background
Magento is an open-source e-commerce platform written in PHP, first released in 2008 and one of the most widely deployed online-store engines in the world, powering an estimated 250,000 active storefronts. It exists in two principal editions: Magento Open Source, the free community edition, and Adobe Commerce, the paid enterprise edition that adds B2B features, hosted cloud infrastructure, and commercial support. Adobe acquired Magento in 2018 for $1.68 billion and folded it into its Experience Cloud, rebranding the commercial tier as Adobe Commerce while retaining the Magento name for the open-source line. The platform is favoured by mid-market and enterprise retailers for its extensibility and catalogue depth, competing with Shopify, WooCommerce and BigCommerce in the global e-commerce platform market.
Magento's defining technical characteristic, and its central security liability, is its third-party extension ecosystem. The platform's modular PHP architecture lets merchants install ADD-on modules from the Adobe Marketplace and external vendors to extend cart, payment, caching and catalogue behaviour. The Marketplace review process checks for code quality and compatibility but not for exploitable patterns such as PHP object injection or unsafe deserialisation, so the security posture of any given store depends on the weakest extension it runs. This is why a flaw in a single ADD-on can expose thousands of stores at once. In the cyber-threats-and-defences briefing, the Mirasvit Full Page Cache Warmer extension carried CVE-2026-45247, a CVSS 9.8 unauthenticated remote-code-execution flaw exploited via PHP object injection in a crafted cookie.
Because Magento stores process payment-card and customer data, they are a recurring target for Magecart-style skimming and supply-chain compromise: the 2018 British Airways and Ticketmaster breaches both originated in trusted third-party scripts injected into payment flows. Adobe ships first-party platform patches on its own cadence, but extension vendors patch independently, opening a structural gap between the platform's update rhythm and the maintainers of the ADD-ons merchants depend on. For UK and EU merchants, an extension-origin compromise carries the same GDPR Article 32 and PCI DSS liability as a first-party platform flaw, making the extension attack surface a durable governance problem rather than a one-off incident.