Patch Week Is Here! 2.4.8-p4

What you need to know about the Adobe Commerce 2.4.8-p4 security patch

Adobe has released its latest Adobe Commerce and Magento Open Source security updates, and that means one thing for merchants, developers and support teams: Patch Week is here. Adobe published APSB26-05 on March 10, 2026, covering a new round of security fixes across supported Adobe Commerce and Magento Open Source versions.

The newly released patched versions are:

• 2.4.8-p4
• 2.4.7-p9
• 2.4.6-p14
• 2.4.5-p16
• 2.4.4-p17

For any merchant still running earlier patch levels, this is the moment to act. Adobe’s advisory states that the update resolves vulnerabilities rated critical, important and moderate, with possible impacts including security feature bypass, application denial-of-service, privilege escalation, arbitrary code execution and arbitrary file system read. Adobe also says it is not aware of any exploits in the wild for the issues addressed in this release.

What’s included in this Patch Week release?

According to Adobe’s bulletin, the affected Adobe Commerce versions include 2.4.8-p3 and earlier, 2.4.7-p8 and earlier, 2.4.6-p13 and earlier, 2.4.5-p15 and earlier, and 2.4.4-p16 and earlier. The recommended upgrade path is to move to the newly patched versions released this week.

This round of updates addresses a broad mix of vulnerabilities, including multiple stored cross-site scripting (XSS) issues, incorrect authorization flaws, server-side request forgery (SSRF) issues, path traversal, input validation weaknesses, and an open redirect issue. Several of the listed vulnerabilities are marked critical, with CVSS scores as high as 8.7 in Adobe’s advisory.

Why Patch Week matters

For Adobe Commerce merchants, Patch Week is never just another routine maintenance window. Security patches protect far more than code. They help safeguard customer data, admin access, checkout integrity and the overall stability of the ecommerce operation.

Even when there are no known active exploits, delaying patching increases risk. Once advisories are public, attackers have a clearer roadmap for probing unpatched stores. That is why Patch Week should be treated as a priority item for any business running Adobe Commerce or Magento Open Source. This is an inference based on Adobe’s publication of vulnerability categories, severity levels, and affected versions.

The versions released this week

If your store is on one of the following branches, these are the versions you should now be targeting:

• Adobe Commerce / Magento Open Source 2.4.8 → 2.4.8-p4
• Adobe Commerce / Magento Open Source 2.4.7 → 2.4.7-p9
• Adobe Commerce / Magento Open Source 2.4.6 → 2.4.6-p14
• Adobe Commerce / Magento Open Source 2.4.5 → 2.4.5-p16
• Adobe Commerce 2.4.4 → 2.4.4-p17

It is also worth noting that Adobe’s bulletin includes updates for Adobe Commerce B2B and pre-release 2.4.9 builds, but for most merchants the immediate focus will be the production patch versions above.

What merchants should do now

Patch Week is the time to be proactive. A sensible response includes:

• identifying your current Adobe Commerce version
• confirming whether your store falls within the affected versions listed by Adobe
• applying the correct patched release in a staging environment first
• testing key site functions such as checkout, payment, shipping, promotions and third-party integrations
• scheduling production deployment as soon as possible after validation

Security patching is not just about applying code. It is about making sure your store remains secure without disrupting revenue-critical functionality.

If you need help applying this patch or maintaining your Adobe Commerce site, get in touch with Pixie Commerce. Our Magento-certified team can support you through every update.