Adobe issues Magento 2.3.4 security updates (APSB20-02)

Executive briefing: Adobe published Magento 2.3.4 and corresponding security-only patches to remediate critical flaws outlined in APSB20-02. Issues include remote code execution through crafted email templates, stored XSS in page builder previews, and information disclosure in GraphQL APIs. Affected branches include Magento Commerce and Open Source 2.3.0‑2.3.3; Adobe also provided patches for Magento 1.14.4.3/1.9.4.3 security support. Merchants must apply the updates promptly to protect storefronts from exploitation.

Why it matters

• Critical template and page builder bugs can allow unauthenticated code execution or admin compromise, enabling card skimming or site takeover.
• Magento installations are frequent targets for Magecart-style attacks; unpatched sites risk immediate exploitation once proofs of concept circulate.
• Security-only patches are available for customers who cannot take full 2.3.4 feature updates, reducing downtime for production commerce stacks.

Operator actions

• Upgrade to Magento Commerce or Open Source 2.3.4, or apply the 2.3.3—2.3.0 security patch bundles from APSB20-02 if deferring the full release.
• Back up stores, extensions, and custom themes before patching; test in staging to confirm payment and checkout flows remain stable.
• Audit admin accounts, disable unused modules, and enable CSP and two-factor authentication post-upgrade to reduce follow-on risk.
• Monitor server and web logs for template or page builder exploitation attempts and deploy web application firewall rules where available.

Key sources

• Adobe APSB20-02 details patched vulnerabilities, affected versions, and download links for 2.3.4 and security-only updates.
• Magento 2.3.4 release notes summarize fixes and compatibility considerations for Commerce and Open Source deployments.