Vulnerabilities

SessionReaper & CosmicSting: The Magento CVEs You Can't Ignore in 2026

By W3ctrl Services · June 5, 2026

Over the last two years a wave of critical Magento vulnerabilities has put hundreds of thousands of stores at risk. "I'll patch later" is exactly how stores get hacked. Here are the three you must know — and how to check if you're exposed.

CosmicSting (CVE-2024-34102)

An XML external entity (XXE) flaw that lets attackers read your secret encryption key. With that key they forge admin tokens and take over the store. It was chained with a glibc bug for full remote code execution and used to compromise 4,000+ stores in a single campaign.

SessionReaper (CVE-2025-54236)

An improper-input-validation flaw in the Web API that enables account takeover and unauthenticated remote code execution. At its peak, 62% of live Magento stores were still unpatched — making it one of the most dangerous Magento bugs ever disclosed.

TrojanOrders (CVE-2022-24086)

An older but still-exploited checkout flaw that allows remote code execution via crafted orders. Legacy and unmaintained stores remain prime targets.

How to check if you're vulnerable

Run a free scan at MageArgus — it detects your exact version and maps it to every known critical CVE, then tells you the precise upgrade or patch for each.

Why "just upgrade" isn't enough

If your encryption key was already stolen (CosmicSting), upgrading doesn't help — the stolen key stays valid forever. You must also rotate the encryption key and audit for rogue admin users and integration tokens created after the breach.

The fix checklist

• Upgrade to a supported patch level (or apply the isolated hotfix)
• Rotate the encryption key if CosmicSting applies
• Confirm the patch is actually on disk (not just inferred from the version string)
• Audit admin users, integration tokens and scheduled tasks

Need help upgrading or applying patches without breaking your store? W3ctrl handles Magento security patches and upgrades.