APSB26-05 and APSB26-49 landed two months apart. Both lean hard on Incorrect Authorization and Stored XSS. That’s not a coincidence — it’s a signal about where the Commerce codebase keeps producing gaps.
Adobe’s June 2026 AEM bulletin contains 27 confirmed stored XSS and 9 DOM-based XSS CVEs, all CVSS 5.4. The count is the signal — not the individual severity.
Sansec research reveals 4,880+ fake .shop storefronts impersonating real brands with a custom checkout SDK and real-time 3DS relay. The attack doesn’t touch your store — it builds a parallel one. Here’s what makes it work and …
Two command injection vulnerabilities in Composer’s Perforce driver are exploitable even if you’ve never touched Perforce. For Magento shops running dev dependencies from source, CVE-2026-40261 is a supply-chain exposure hiding …
The November 2025 bulletin wave included a CVSS 9.1 session takeover, a stored XSS in Magento-lts, and an active Xurum webshell campaign. Read together, they describe something the individual advisories don’t.