Just two days after Magento 2.4.9 reached General Availability, Adobe released APSB26-49 - a critical security bulletin for Adobe Commerce and Magento Open Source addressing over a dozen vulnerabilities, some with CVSS scores as high as 8.7. If you are running any version of Adobe Commerce or Magento Open Source, this demands your immediate attention.
What's in the patch
The 12th May security release addresses a significant batch of vulnerabilities spanning multiple attack vectors.
Critical vulnerabilities (CVSS 7.4–8.7):
-
CVE-2026-34686 (CVSS 8.7) - Stored Cross-site Scripting (XSS) that could enable arbitrary code execution
-
CVE-2026-34653 (CVSS 8.7) - Path Traversal vulnerability allowing arbitrary file system writes
-
CVE-2026-34645 and CVE-2026-34646 (CVSS 7.5 each) - Incorrect Authorisation leading to security feature bypass
-
CVE-2026-34647 (CVSS 7.4) - Server-Side Request Forgery (SSRF) enabling security feature bypass
-
CVE-2026-34648 through CVE-2026-34652 (CVSS 7.5 each) - Uncontrolled Resource Consumption vulnerabilities that could cause application denial-of-service
Important vulnerabilities (CVSS 4.3–5.3):
-
CVE-2026-34654 (CVSS 5.3) - Vulnerable third-party component dependency
-
CVE-2026-34655 (CVSS 4.8) - Additional Stored XSS vulnerability
-
CVE-2026-34656 (CVSS 4.3) - Improper access controls
The Stored XSS and Path Traversal vulnerabilities are particularly concerning for eCommerce merchants. Stored XSS can allow attackers to inject malicious scripts that execute when admin users or customers view affected pages, potentially capturing session tokens, admin credentials, or customer payment data. The Path Traversal vulnerability, allowing arbitrary file writes, is arguably even more dangerous, as it could enable attackers to place malicious files anywhere on your server's file system.
The timing creates a decision point
Magento 2.4.9 landed on 12th May with over 500 bug fixes, PHP 8.4/8.5 support, and Valkey caching. Hyvä also released version 1.4.6 on the same day with PHP 8.5 compatibility fixes. This security patch now arrives on top of all of that.
If you were already planning your 2.4.9 upgrade, the GA release should incorporate these security fixes. However, if you are running 2.4.7 or 2.4.8 in production and are not ready for the full 2.4.9 upgrade, you need the corresponding security patch for your current version line - and you need it applied urgently.
Recommended action plan
Immediately:
-
Identify your current version. Check your
composer.jsonor runbin/magento --versionin your terminal. -
Download the appropriate patch from the Adobe Commerce or Magento Open Source release channels for your version line.
-
Apply the patch in staging first. Run your full test suite, paying particular attention to checkout flows, admin panel functionality, and any custom modules that interact with file uploads or user-generated content.
-
Deploy to production within 7 days. The stored XSS and path traversal vulnerabilities are severe enough that extended delays carry real risk.
For those planning a 2.4.9 upgrade:
Don't use the security patch as a reason to rush your 2.4.9 upgrade. These are two separate activities. Apply the security patch to your current version immediately, then continue your 2.4.9 upgrade on a considered timeline with proper extension compatibility testing.
For Hyvä users:
If you're also updating to Hyvä 1.4.6, sequence your changes carefully. Apply the security patch first, verify everything works, then update Hyvä as a separate deployment. Stacking multiple changes into a single deployment makes it significantly harder to isolate issues when something breaks.
What this means for PCI DSS 4.0
With PCI DSS 4.0 requirements now in effect, merchants are expected to demonstrate they have processes for applying critical security patches on time. Timely is generally interpreted as within 30 days for critical vulnerabilities, but given the CVSS scores involved here, aiming for under 14 days is prudent.
Document your patch application process, record when you applied the update, and retain evidence of your testing. This is not just good practice - it is an audit requirement.
The broader pattern
This is the second critical Adobe Commerce security bulletin in 2026, following APSB26-05 in March. The cadence reinforces a clear trend: eCommerce platforms are high-value targets, and the frequency of critical patches is increasing, not decreasing.
Merchants who have not automated their security patch testing and deployment pipelines will find it increasingly difficult to keep up. If applying a security patch is still a multi-day manual process for your team, it is worth investing in CI/CD infrastructure that can get a patch through staging and into production within 48 hours.
About On Tap
On Tap is an eCommerce agency specialising in Adobe Commerce, Magento, and Shopify. We help merchants navigate platform complexity, from security patch management and version upgrades to full eCommerce builds. If you need support applying APSB26-49 or planning your 2.4.9 upgrade, get in touch with our team.


