← Insights
    Security Alert17 May 2026 · 6 min read

    Adobe Commerce Security Patches May 2026 (APSB26-49): What UK Merchants Need to Do

    Adobe published APSB26-49 on 15 May 2026 — a security bulletin covering critical vulnerabilities in Magento Open Source and Adobe Commerce. Arbitrary code execution is on the list. Here's what it means and how long you have to act.

    APSB26-49 — Critical vulnerabilities patched 15 May 2026

    Affects all currently supported versions of Adobe Commerce and Magento Open Source. Successful exploitation of the most severe issues could lead to arbitrary code execution. Adobe recommends immediate update. No active exploits reported at time of publication — but that window closes fast.

    What Adobe patched

    On 15 May 2026, Adobe released APSB26-49 — the May security bulletin for Adobe Commerce and Magento Open Source. The update resolves a set of critical, important and moderate vulnerabilities across both products.

    The most severe vulnerabilities addressed in this update could allow an attacker to achieve:

    !

    Arbitrary code execution

    The attacker runs their own code on your server — the highest-severity outcome. In a Magento context this typically means installing a payment skimmer, creating hidden admin accounts, or exfiltrating customer data.

    !

    Arbitrary file system write

    The attacker can create or overwrite files anywhere on the server — used to plant backdoors, replace legitimate files with malicious versions, or persist access after a password reset.

    !

    Application denial of service

    The attacker crashes or locks up your Magento application — taking your store offline. Less severe than code execution but directly affects revenue.

    !

    Security feature bypass

    The attacker bypasses a security control — such as authentication checks, access restrictions, or CAPTCHA — that would normally prevent unauthorised actions.

    Adobe states they are not aware of any exploits in the wild at the time of publication. This is meaningful — it means you currently have a window to patch before threat actors weaponise these vulnerabilities. That window typically lasts days to a few weeks, not months.

    15 Maybulletin publishedpatch diffing &exploit developmentmass exploitation(days to weeks)← patch now, while the window is openwindow closes fast →

    "No known exploits" is a deadline, not a reprieve — the safe window opens at publication and narrows fast.

    Which versions are affected

    APSB26-49 covers all currently supported versions of both Adobe Commerce and Magento Open Source. The full version matrix — listing every affected version and its patched counterpart — is published in the official Adobe bulletin.

    Running an end-of-life version?

    If your store is on Magento 2.4.3 or earlier, you are no longer receiving security patches from Adobe. APSB26-49 does not include a fix for your version — because Adobe no longer supports it. This means every critical vulnerability disclosed from this point forward is permanently unpatched on your installation. Upgrading to a supported version is urgent.

    What to do now

    The action required depends on how your Magento store is hosted.

    If you're on managed hosting

    Contact your host and ask them to confirm: (1) what version of Magento your store is currently running, (2) whether they have applied the APSB26-49 patches, and (3) when this was done. A managed host should be able to answer this within hours. If they cannot, that is a signal worth taking seriously.

    If you manage your own server

    Apply the update immediately. Adobe publishes patched versions and isolated security patches for supported branches. Follow the official Adobe Commerce upgrade guide — back up your database and files before beginning. If you are on Magento 2.4.7 or 2.4.8, you can apply the isolated security patch rather than a full version upgrade.

    If you're on an unsupported version

    There is no patch available. Your options are to upgrade to a supported version (recommended), or to engage a Magento security specialist to assess your exposure and implement compensating controls while you plan an upgrade. Do not ignore this.

    Why the "no active exploits" window is short

    Adobe's statement that no exploits are currently known in the wild is reassuring — but it is not a reason to delay. Security bulletins are published publicly, which means threat actors have access to the same information you do the moment a bulletin goes live. Many groups run automated systems that reverse-engineer patches to identify what was fixed and then build exploits accordingly.

    Historical data from previous Adobe Commerce bulletins shows that active exploitation of critical patches typically begins within one to four weeks of publication. For vulnerabilities classified as arbitrary code execution — which APSB26-49 includes — that timeline tends to be at the shorter end.

    The practical advice: treat "no known exploits" as a deadline, not a reprieve.

    How EveryHost handles security patches

    EveryHost provides dedicated Magento hosting on physical hardware in UK data centres, running a custom-managed stack: NGINX, Varnish 7.7, OpenSearch 3, Valkey 8, and PHP 8.4. We monitor Adobe's security bulletins and apply server-level and infrastructure patches as part of managed hosting.

    For Magento application-level updates — changes to the Magento codebase itself — we notify managed customers promptly and can assist with the update process. If you are an existing EveryHost customer and want to confirm your APSB26-49 patch status, call us on 0333 577 6191.

    If you are currently on shared or self-managed hosting and the process of applying security patches falls entirely to you, this is a good moment to reconsider that arrangement. Security bulletins arrive monthly. Each one requires assessment and action.

    Frequently asked questions

    What is APSB26-49?+

    APSB26-49 is Adobe's security bulletin for Adobe Commerce and Magento Open Source, released on 15 May 2026. It addresses a set of critical, important and moderate vulnerabilities. Successful exploitation of the most severe issues could allow an attacker to execute arbitrary code on your server, write files to arbitrary locations, or cause a denial of service. Adobe recommends all merchants update to the latest patched version immediately.

    Which versions of Magento and Adobe Commerce are affected?+

    APSB26-49 covers all currently supported versions of Adobe Commerce and Magento Open Source. The full list of affected versions and their patched counterparts is published in the official Adobe Security Bulletin at helpx.adobe.com/security/products/magento/apsb26-49.html. If you are running an end-of-life version (anything below 2.4.4), you are no longer receiving security patches and should upgrade as a matter of urgency.

    What does 'arbitrary code execution' mean for my Magento store?+

    Arbitrary code execution (ACE) means an attacker can run their own code on your server without your knowledge or permission. In practice, for a Magento store, this could mean installing malware to skim customer payment card data, creating hidden admin accounts, exfiltrating your customer database, or silently redirecting checkout to a fraudulent payment page. ACE vulnerabilities are the most severe category because they give an attacker the same level of control as someone with legitimate server access.

    Are these vulnerabilities being actively exploited?+

    As of Adobe's publication date (15 May 2026), Adobe stated they are not aware of any exploits in the wild for the issues addressed in APSB26-49. However, security bulletins are closely monitored by threat actors and exploits typically emerge within days to weeks of a patch being published — especially for critical vulnerabilities. The window to patch before exploitation begins is narrow.

    Does EveryHost apply these patches for managed customers?+

    EveryHost monitors Adobe's security bulletins and applies server-level patches as part of managed hosting. For Magento application-level updates (the Magento codebase itself), we notify customers and can assist with the update process. If you are an EveryHost managed customer and want to confirm your patch status for APSB26-49, call us on 0333 577 6191 or open a support ticket.

    Managed Magento hosting — we handle security patches

    Dedicated UK hardware, the full Adobe-recommended stack, and a team that monitors security bulletins so you don't have to. Call us or view our plans.