Magento 1 EOL Patches
A list of the patches made available to Magento 1 EOL support customers
Patches to fix discovered vulnerabilites in Magento 1 are made available to customers who have a Magento 1 EOL Support plan. A list of these patches is maintained here, including patch date, description, and a link to download the patch. For more information on Magento 1 EOL Support, please read the FAQs .
Note:
M1 Commerce patches will be available within 60 days from date mentioned below.
Date | ID | Description | Open Source | Commerce |
|---|---|---|---|---|
| Aug 07 2020 | 12 | Improves PCI-DSS compliance by forcing login form to disable autocompletion. | Download | Download |
| Aug 07 2020 | 13 | (HIGH) Re-release of Adobe’s SUPEE-11346
(originally released on 06/22/2020) for Magento 1.9.4.5. | Download | |
| Aug 07 2020 | 14 | Prevents parallel logins for the same user account (session attack for backend and frontend). | Download | Download |
| Aug 19 2020 | 15 | Adds new configuration option to enable “secure” marker for all cookies. | Download | Download |
| Aug 28 2020 | 16 | Adds compatibility for PHP 7.3. | Download | Download |
| Aug 28 2020 | 17 | Improves clearing of session data with parallel logins. | Download | Download |
| Oct 01 2020 | 18 | (CRITICAL) This patch is based on a backport for CVE-2020-9690
of Magento 2. | Download | Download |
| Oct 01 2020 | 19 | (CRITICAL) Prevents admin users from using soap access w/product attributes and a product to upload and execute executable files to the server. | Download | Download |
| Oct 01 2020 | 20 | Prevents admin users with access to System > Permissions > Variables from adding config paths for encrypted config fields. | Download | Download |
| Oct 29 2020 | 21 | Improves compatibility of 3rd party integrations by flagging cookies as SameSite=None. | Download | Download |
| Oct 29 2020 | 22 | (HIGH) Prevents access to the /downloader directory. | Download | Download |
| Oct 29 2020 | 23 | Replaces the news feed URL in Magento so you receive patch notifications in your admin panel. | Download | Download |
| Oct 29 2020 | 24 | Avoids incorrect form keys creating an error log entry. This is an improvement for patch ID 18. | Download | Download |
| Oct 29 2020 | 25 | (CRITICAL) Fixes an issue whereby an administrator with permission to update product data was able to store an executable file on the server and load it via layout xml. | Download | Download |
| Dec 09 2020 | 26 | Improves cookie handling. | Download | Download |
| Dec 09 2020 | 27 | (HIGH) Prevents admin users with permission to import/export data and to create widget instances from loading an executable file via layout xml. | Download | Download |
| Dec 09 2020 | 28 | (HIGH) Prevents admin users with permission to create products from injecting an executable file on the server via wishlist functionality. | Download | Download |
| Dec 09 2020 | 29 | (HIGH) Prevents admin users with permission to import/export data and to edit cms pages from injecting an executable file on the server via layout xml. | Download | Download |
| Dec 09 2020 | 30 | Improves patch 20. | Download | Download |
| Dec 09 2020 | 31 | Improves patch 21. | Download | Download |
| Dec 09 2020 | 32 | Fixes an issue with patch 23. | Download | Download |
| Jan 21 2021 | 33 | Fixes an issue with patch 31: Cookie secure flag wasn’t boolean in JavaScript. | Download | Download |
| Jan 21 2021 | 34 | Adds samesite setting to PHP based session cookies. | Download | Download |
| Apr 05 2021 | 35 | Fixes a core bug when using prepare data for redirecting. Note: This patch is also required for patch 39 to operate properly. | Download | Download |
| Apr 05 2021 | 36 | (HIGH) Fixes a bug in Zend Framework’s Stream HTTP Wrapper - CVE-2021-3007 | Download | Download |
| Apr 05 2021 | 37 | Support for PHP 7.4 and PHP 8. In order to switch to PHP 7.4 or PHP 8 you also have to make sure any custom code and third party extension is compatible with these PHP versions! Known Issue: Applying this patch might fail because there are versions of Magento in circulation that use \r\n line breaks instead of \n line breaks for certain files.Option 1: If you encounter errors when applying the patch, you can use the command line utility dos2unix to correct the line breaks. You can use the following command: ```find . -type f -print0 | xargs -0 dos2unix</div> <div>**Option 2:** If you cannot install or use dos2unix, you can also use sed on the command line to correct the line breaks:find . -type f -name *.php -print -exec sed -i ’’ ’s/\r//’ {} ;``` | Download |
| Apr 05 2021 | 38 | Changes the content-type in json responses from text/html tot application/json to prevent XSS attacks | Download | Download |
| Apr 05 2021 | 39 | The wishlist sharing function has been subject to intensive SPAM abuse. We added a switch to the Magento configuration to disable the sharing functionality. Please note that patch #35 is required for this patch to work properly. Please make sure to configure the setting according to your needs: The behavior of the Wishlist Sharing functionality can be controlled via a new config option in System > Config > Wishlist > Share Options > Enable Sharing | Download | Download |
| Apr 05 2021 | 40 | We fixed a vulnerability in the MySQL adapter to prevent SQL injection attacks. CVE-2021-21024 | Download | Download |
| May 28 2021 | 41 | Updates Zend_Http_Response to support HTTP/2 | Download | Download |
| May 28 2021 | 42 | (HIGH) This patch adds improved security to unserialize() calls to avoid unexpected object creation. Attention: This patch changes almost every unserialize() call throughout the core code to prevent unwanted object creation. It touches many code aspects we’re unable to cover with tests. It might also affect functionality you intentionally wanted to create objects via unserialize(). It’s therefore crucial to test all your integrations and customizations before you apply it in your live environments! | Download | Download |
| May 28 2021 | 43 | (HIGH) We fixed a vulnerability that allowed users with admin access to inject code (RCE) using session manipulation. | Download | Download |
| May 28 2021 | 44 | (HIGH) Due to missing sanitation in data flow it was possible for admin users to upload arbitrary executable files to the server. | Download | Download |
| May 28 2021 | 45 | (HIGH) Layout XML enabled admin users to execute arbitrary commands via block methods. | Download | Download |
| May 28 2021 | 46 | (HIGH) We fixed a vulnerability in Magento’s package manager which lead to a RCE via race conditions. | Download | Download |
| May 28 2021 | 47 | Zend_Validator wasn’t able to validate emails with uptodate TLDs. The list of TLDs has been updated. | Download | Download |
| May 28 2021 | 48 | Adds array_key_first() and array_key_last() with a polyfill. | Download | Download |
| May 28 2021 | 49 | This fixes a bug introduced with patch #47. Magento uses a copy of Zend’s original file with modified paths. While updating the file’s content, these modified paths have been replaced with their originals. So Magento wasn’t able to find the correct files anymore. | Download | Download |
| Aug 9 2021 | 50 | Improves PHP5.6 compatibility for unserialization. Please Note: We do not recommend to use anything older than PHP7.3. There’s no support available for older PHP Versions! | Download | Download |
| Aug 9 2021 | 51 | Updates phpseclib to version 2.0.32 to fix CVE-2021-30130. | Download | Download |
| Aug 9 2021 | 52 | Fixes a persisted XSS vulnerability. | Download | Download |
| Aug 9 2021 | 53 | (CRITICAL) Restores missing .htaccess files from core automatically. In some Magento installations merchants or developers or agencies accidentally removed .htaccess files from regular core directories and thus exposed security vulnerabilities. To regain protection for these directories we automatically check for deleted .htaccess files and reinstate them in the following locations:/app/.htaccess /dev/.htaccess /downloader/lib/.htaccess /downloader/Maged/.htaccess /downloader/template/.htaccess /includes/.htaccess /lib/.htaccess /media/downloadable/.htaccess /media/customer/.htaccess /shell/.htaccess /skin/frontend/rwd/default/scss/.htaccess /var/.htaccess | Download | Download |
| Aug 9 2021 | 54 | Improving PHP8 compatibility. | Download | Download |
| Aug 9 2021 | 55 | Prevent DoS attack via passwords larger than 4k. | Download | Download |
| Aug 9 2021 | 56 | (HIGH) An administrator with permission to import/export data and to edit cms pages was able to inject an executable file on the server via layout xml. | Download | Download |
| Aug 9 2021 | 57 | (HIGH) Arbitrary command execution in Custom Layout Update via block method. | Download | Download |
| Aug 9 2021 | 58 | (HIGH) Arbitrary file delete in customer media allows remote code execution. | Download | Download |
| Aug 9 2021 | 59 | This patch adds brute force attack prevention to customer login via Frontend and API as well as admin panel login. If enabled this feature prevents brute force login attacks by disabling the login feature once the failed login attempts limit is reached. With every failed login attempt the login retry time increases. This time is respecting the max_execution_time setting. The failed login attempts counter will be reset if a successful login is detected before it reaches the login attempt limit. Customer Login: To enable this feature, go to System > Configuration > Customer Options > Password Options. The Switch is called ‘Enable brute force protection’. The number of failed logins defaults to 10 and can be configured in the field Maximum number of failed attempts. If an account has too many failed logins, an error message will appear. The customer can then send an unlock link via email to the account’s address. The email template is called ‘Customer Account Unlock Notification’.Admin Login: To enable this feature, go to System > Configuration > Admin > Security. The switch is called ‘Enable brute force protection’. The number of failed logins defaults to 10 and can be configured in the field ‘Maximum number of failed attempts’. If an account has too many failed logins, an error message will appear. The administrator can then send an unlock link via email to the account’s address. The email template is called ‘Admin Account Unlock Notification’.API: To enable this feature, go to System > Configuration > Magento Core API > General Settings. The switch is called ‘Enable brute force protection’. | Download | Download |
| Sep 8 2021 | 60 | Some of our customers are using netz98’s magerun tool to maintain their stores. With this patch we add additional compatibility for our last patch #59 features with magerun by adding a reload() Method to the Mage_Customer_Model_Customer. | Download | Download |
| Sep 8 2021 | 61 | (HIGH) An administrator with privileges to upload files via DataFlow and to create products was able to execute arbitrary code via the convert profile. The fix applies to the Zend_Db::factory(). | Download | Download |
| Nov 4 2021 | 62 | Improves deserialization performance for PHP 5.6. Please Note: We do not recommend to use anything older than PHP7.3. There’s no support available for older PHP Versions! | Download | Download |
| Nov 4 2021 | 63 | Fixes an issue with brute force protection (patch #59) and requesting reset password link. | Download | Download |
| Nov 4 2021 | 64 | (CRITICAL) An administrator with the right to create or edit CMS pages was able to upload and execute arbitrary code using the wysiwyg editor. | Download | Download |
| Jan 20 2022 | 65 | (CRITICAL) Improves security checks for patch #64 and adds compatibility with symlinked media directories. | Download | Download |
| Jan 20 2022 | 66 | Improves compatibility for third party code and patch #61. | Download | Download |
| Jan 20 2022 | 67 | (CRITICAL) Improves compatibility for import file uploads to ./var directory and patch #64. | Download | Download |
| May 12 2022 | 68 | (CRITICAL) Fixes to prevent RCE attacks via Varien_Convert_Adapter_Zend_Cache and Mage_Dataflow_Model_Convert_Adapter_Zend_Cache. These classes were not used in Magento core code, thus we decided to remove them completely. We did not see any valid use case to change cache entries via import/export. Attention: If you use any of theses classes in your customization, please be aware that you have to change your custom code in order to stay compatible. | Download | Download |
| May 12 2022 | 69 | (HIGH) This patch prevents sending passwords in emails in plain text. Passwords in emails will all be replaced with asterisks. One exception: If an administrator sets a new customer password via the admin panel, in this case you’ll now see a note on the input field that this password is sent in plain text. You now have a button to force sending a ‘Forgot Password’ email via the admin panel. | Download | Download |
| May 12 2022 | 70 | This patch fixes a JavaScript issue with Import/Export. | Download | Download |
| May 12 2022 | 71 | Fixes a session handling issue for downloadable products, introduced in SUPEE-11314. | Download | Download |
| May 19 2022 | 72 | This patch fixes a bug of patch #69 which stopped account confirmation emails to work. With patch #69 we introduced code to redact the customer password from the customer object. This patch fixes a bug that caused the customer account confirmation email to stop working. | Download | Download |
| Jul 25 2022 | 73 | This patch fixes an issue with the JS and CSS merge and sets the Content-Type on an educated guess basis. | Download | Download |
| Jul 25 2022 | 74 | This patch disables the phar:// protocol to open and/or execute content of phar files (e. g. in the context of including templates). Many of the found vulnerabilities use phar:// files to exploit the system. Forbidding the opening of phar files and preventing the unserialization on them hardens Magento. | Download | Download |
| Jul 25 2022 | 75 | This patch improves handling of admin passwords and makes sure to implement PCI security measures. You can now configure admin password strength settings in System > Configuration > Admin > Security > Admin Password Strength. You can set it to any of these values: Default Password must contain at least 7 characters. Password must contain at least one number and one letter. PCI All of the rules above. Change password every 90 days. No repetition of the last 4 passwords. If password is set by another admin, it is forced to be changed. All admin passwords are forced to be changed on activation. PCI Advanced All of the rules above. Password must contain special characters. | Download | Download |
| Jul 25 2022 | 76 | (CRITICAL) This patch fixes an issue where an admin could use the password forgot feature to escalate their privileges. This patch contains the SQL Formatter which is licensed under the MIT License. | Download | Download |
| Jul 25 2022 | 77 | This patch reduces deprecated messages with PHP 8.0/8.1. | Download | Download |
| Aug 10 2022 | 78 | Patch (#75) introduced a new feature to harden administrator passwords with forced PCI compliance. Unfortunately this patch interfered with our previously introduced brute force protection (Patch #59). Patch #78 fixes compatibility of admin password PCI compliance (#75) with brute force protection (#59). | Download | Download |
| Oct 27 2022 | 79 | This patch fixes a XSS vulnerability in Mage_Dataflow_Model_Convert_Adapter_Http::save() which allows the display of content via $this->getData() on the page using echo(). | Download | Download |
| Oct 27 2022 | 80 | This patch replaces rand() with mt_rand() since PHP 7.1 mt_rand() has superseded rand() completely, and rand() was made an alias for mt_rand(). | Download | Download |
| Oct 27 2022 | 81 | This patch improves Patch #78: If a user lacks permission to change his password, he is informed about it. This patch fixes the current redirect loop. | Download | Download |
| Oct 27 2022 | 82 | This patch improves Patch #76: Read-Query detection is extended by DESCRIBE, TABLES, VALUES, and PREPARE. | Download | Download |
| Oct 27 2022 | 83 | This patch adds a message ID to outgoing emails, because especially Google hardened their spam filter for emails without message ID. | Download | Download |
| Oct 27 2022 | 84 | This patch provides support for MySQL 8. | Download | Download |
| Mar 16 2023 | 85 | This patch improves PHP8 compatibility for Zend_Registry. | Download | Download |
| Mar 16 2023 | 86 | This patch improves PHP8 compatibility for report.php. | Download | Download |
| Jun 2 2023 | 87 | This patch improves password security by checking if password equals email address for customers and if password equals username or email address for admin users. | Download | Download |
| Jun 2 2023 | 88 | This patch improves PHP8 compatibility for the catalog product action attribute form. | Download | Download |
| Jun 2 2023 | 89 | This patch improves PHP8 compatibility for Mage_Api_Model_Wsdl_Config_Element. | Download | Download |
| Jun 2 2023 | 90 | This patch fixed an login loop issue caused by missing setOrigData(). This patch also hardens bruteforce password protection. | Download | Download |
| Jun 2 2023 | 91 | This patch fixes an issue with rejected mails due to incompatible line endings. After upgrading to PHP8, we noticed that all emails were rejected by some mail systems. As of PHP8, the mail() function separates all parts of an email using CRLF instead of LF. However, the Zend_Mail_Transport_Sendmail wrapper class still uses LF as line separator. This resulted in mails being sent with mixed line endings. | Download | Download |
| Jun 2 2023 | 92 | This patch prevents javascript execution in email template previews in admin panel. | Download | Download |
| Oct 30 2023 | 93 | This patch improves compatibility with PHP 8 and MySQL. Enables ATTR_STRINGIFY_FETCHES in MYSQL-PDO to avoid integer string problems in json encode. | Download | Download |
| Oct 30 2023 | 94 | This patch improves MySQL compatibility by adding data type support for unsigned integers. | Download | Download |
| Dec 20 2023 | 95 | (HIGH) This patch improves protection against bruteforce attacks to view guest orders. New protect codes are much longer now. This patch adds a new configuration option to System > Configuration > Sales > General > Block short guest order protect codes to blocks access for guest orders with short protect codes. Ref: CVE-2023-41879 | Download | Download |
| Dec 20 2023 | 96 | This patch fixes a typo for patch #94 where we misspelled unsigned with unsinged. | Download | Download |
| Feb 15 2024 | 97 | tinyMCE uses iFrame to show its content, which lead to an XSS vulnerability. By sandboxing the iFrame no XSS is possible anymore. Known Issue: Applying this patch might fail because there are versions of Magento in circulation that use \r\n line breaks instead of \n line breaks for certain files. Option 1 If you encounter errors when applying the patch, you can use the command line utility dos2unix to correct the line breaks. You can use the following command: ```find . -type f -print0 | xargs -0 dos2unix</div> <div>**Option 2** If you cannot install or use dos2unix, you can also use sed on the command line to correct the line breaks:find . -type f -name *.php -print -exec sed -i ’’ ’s/\r//’ {} ;``` | Download |
| Feb 15 2024 | 98 | Forgot Password feature now uses formkey protection to prevent CSRF attacks. | Download | Download |
| Feb 15 2024 | 99 | This patch improves compatibility for PHP8. In the reports section, total for each column will be calculated with additions. It also covers the name column, which does not contain numbers. The patch will make sure that all value are converted to numbers first. Warning! If e.g. product names start with a number, this will lead to wrong column totals! | Download | Download |
| Feb 15 2024 | 100 | This patch improves include file handling in environments with multiple symlinked directories. | Download | Download |
| Jul 30 2024 | 101 | This patch updates phpseclib to version 2.0.47, fixes DoS (denial of service) vulnerability. | Download | Download |
| Jul 30 2024 | 102 | (HIGH) This patch fixes XSS vulnerability in admin panel when uploading files. | Download | Download |
| Jul 30 2024 | 103 | This patch improves PHP 8 compatibility for modules when methods such as call_user_func_array are used. | Download | Download |
| Jul 30 2024 | 104 | This patch improves USPS compatibility. | Download | Download |
| Aug 29 2024 | 105 | This patch adds in-app rate limiting for specific URLs. ⚠️ We do highly recommend to use fail2ban for larger shops as it is much faster and provides more configuration. This feature here is meant to protect smaller shops with less sophisticated hosting setups. We do protect the following URLs by default with a limit of 10 requests per 10 seconds: /customer/account/login/sales/guest/formRate limits will be tracked in the table mageone_ratelimit_log. A cron job at 1.30 am will remove outdated entries. Further URLs can be added by custom modules. Use your config.xml file to add new entries to the global section like so:<mageone_ratelimit><custom_identifier><route>/path/of/url</route><enabled>true</enabled><max_queries_in_time_window>10</max_queries_in_time_window><time_window_in_seconds>10</time_window_in_seconds></custom_identifier></mageone_ratelimit> | Download | Download |
| Aug 29 2024 | 106 | (HIGH) This patch fixes a file content extraction vulnerability in dataflow. | Download | Download |
| Aug 29 2024 | 107 | (HIGH) This patch fixes a stored XSS vulnerability in dataflow. | Download | Download |
| Aug 29 2024 | 108 | This patch updates UPS integration to work with OAuth2.0. ⚠️ Please note that we were unable to get access to the official UPS Test API. This patch therefore is given without warranty. Please make sure to test it thoroughly in your own setup! | Download | Download |
| Aug 29 2024 | 109 | This patch fixes a missing translation helper for Patch #105. | Download | Download |
| Aug 29 2024 | 110 | This patch fixes dataflow realpath problems concerning Patch #107. | Download | Download |
| Aug 29 2024 | 111 | This patch improves PHP5.6 compatibility for UPS carrier update from Patch #108. | Download | Download |
| Dec 23 2024 | 112 | This patch fixes the wrong rate limit model instantiation from patch #105. | Download | Download |
| Dec 23 2024 | 113 | (HIGH) This patch fixes a stored XSS in admin system configs CVE-2024-41676. | Download | Download |
| Dec 23 2024 | 114 | This patch improves compatibility with PHP 8 and only closes files that have been opened before. | Download | Download |
| Dec 23 2024 | 115 | This patch fixes the wrong rate limit column name in the cleanup cron in patch #105. | Download | Download |
| Feb 12 2025 | 116 | (CRITICAL) This patch fixes an RCE (remote code execution) vulnerability, which allowed a low privileged admin panel user to upload a PHP file and gain full access to database and backend via custom product options file upload. | Download | Download |
| May 21 2025 | 117 | (HIGH) This patch fixes a Cross-Site-Scripting vulnerability in theme configuration fields. This patch will escape HTML content in the ‘Welcome’ message field. HTML from this field must be removed. | Download | Download |
| Jan 15 2026 | 118 | (HIGH) This patch fixes a XSS vulnerability in Magento’s URL processing system. Usage of getBaseUrl() is now protected by solid validation and encoding. Ref: CVE-2025-27400 | Download | Download |
Severity Categories
(CRITICAL)Critical severity issues allow an attacker to read or write arbitrary resources (including but not limited to the file system, registry, network, etc.) on the underlying platform, with the user’s full privileges.
(HIGH)High severity vulnerabilities allow an attacker to execute code in the context of, or otherwise impersonate other origins or read cross-origin data. Bugs which would normally be critical severity with unusual mitigating factors may be rated as high severity.
Patch instructions
Warning
Please make a database backup before installing patches live. For best results, use a file versioning tool such as Git to apply the patch.
We recommend testing patches in a staging environment first. After testing, the patches can then be installed live using versioning software such as Git. This way the patch can be applied locally (or in the staging environment), then committed and pushed normally. The steps, provided by our partner, are as follows:
- Upload the local file into the
<Magento_root>on the server using SFTP, SSH or your normal transport method. - Verify the file is in the correct directory.
- In the command line interface, run the following command according to the patch extension:
- M1 Open Source:
$ patch -p1 --ignore-whitespace < /path/to/file - M1 Commerce:
$ patch -p0 --ignore-whitespace < /path/to/file
- M1 Open Source:
- For visible changes in the user interface to be reflected, refresh the cache in the Admin under
System > Cache Management.NoteIn some cases it will also be necessary to renew the indices.
Patches can also be undone, or reversed, with the
-Roption (or use your version control to remove the changes):- M1 Open Source:
$ patch -R -p1 < /path/to/file - M1 Commerce:
$ patch -R -p0 < /path/to/file
Further Reading
- Magento 1 EOL Support
- How to Contact Support
- Web Controls
- How to Block Countries from Accessing Your Site
- How to Edit the Whitelist
- How to Edit the Blacklist
Have questions not answered here? Contact Support to get more help.Last modified on June 3, 2026
- M1 Open Source: