-Added October 26, 2020

This hotfix resolves an issue with Magento Commerce and Open Source 2.4.1 and 2.3.6 where the "Create an Account" button on the Create New Account page remains disabled if a shopper has entered invalid data. This prevents shoppers from re-attempting to create an account after making an error.

Affected Magento versions: Magento Commerce and Open Source v2.4.1 / v2.3.6 (on prem and Cloud).

See Applying patches for specific instructions on downloading and applying Magento patches.

This hotfix resolves an issue with Magento Commerce 2.4.0 and Magento Open Source 2.4.0 where Magento throws an error when opening "Sales > Braintree Virtual Terminal". See Braintree Virtual Terminal page is corrupted Knowledge Base article.

This hotfix resolves an issue with Magento Commerce 2.4.0 and Magento Open Source 2.4.0 where merchants could not access the Braintree Settlement Report page (Admin > Reports).

This hotfix resolves an issue with Magento Commerce 2.4.0 where merchants could not interact with any page elements on the Returns page after creating a shipping label for a Return Merchandise Authorization (RMA).

This hotfix resolves an issue with Magento Commerce 2.4.0 and Magento Open Source 2.4.0 where merchants could not add ordered products to a package from the Admin Create Package page and save the package.

-Added May 20, 2020

This patch resolves an issue in Magento 2.3.5 and 2.3.5-p1 where the storefront checkout workflow did not display any payment method that has been enabled for specific countries with the exception of the Klarna and Amazon Pay payment methods.

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

See Applying patches for specific instructions on downloading and applying Magento patches.

-Added May 04, 2020

This patch resolves the issue with inability to change a payment method on checkout "Review & Payments" step from the payments widget, while checking out with Amazon Pay.

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

See Applying patches for specific instructions on downloading and applying Magento patches.

-Added April 29, 2020

This patch resolves an inability to re-send an account confirmation email link from storefront account login page. (This known issue was first identified in Magento 2.3.5.)

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 / v2.3.5-p2 (on prem and cloud).

See Applying patches for specific instructions on downloading and applying Magento patches.

-Added March 24, 2020

This patch addresses a lingering issue created by the fix for CVE-2019-8118 (PRODSECBUG-2452) included in Magento 2.3.3 and 2.2.10.

While the fix for that bug stopped the logging of failed login attempts, information collected prior to updating to these current versions may still exist, and previous, unpatched versions of Magento may still have this issue. This patch clears the login attempts that were previously collected. See Remove failed login attempts from the database for information on how to download and install this patch.

-Added February 12, 2020

This patch resolves the issue which affects orders placed with PayPal Express Checkout where the order’s shipping address specifies a country region that has been manually entered into the text field rather than selected from the drop-down menu on the Shipping page.

Affected Magento versions: Magento Commerce and Open Source v2.3.4 (on prem and cloud).

See Applying patches for specific instructions on downloading and applying Magento patches.

This patch resolves issues that users of Magento 2.3.3 experience in deployments where Elasticsearch 6.x is used as the catalog search engine. Users who attempt to navigate past the first page of search results are unsuccessful, and Magento displays an error message. After this patch is installed, users will be able to page through all search results.

Affected Magento versions: Magento Commerce and Open Source v2.3.3 (on Prem and Cloud).

This patch addresses backward compatibility issues that extension developers may have experienced after the introduction of Magento\Framework\Mail\EmailMessageInterface, which was released in Magento 2.3.3. In the scope of this patch, the new EmailMessageInterface inherits from the old MessageInterface, and core modules are changed back to rely on MessageInterface. Merchants should apply this patch as soon as possible, especially if their deployments include extensions or customizations that use the mail interface.

Affected Magento versions: Magento Commerce and Open Source v2.3.3.

See the Magento forum DevBlog post for much more information.

This patch addresses changes that were introduced in Magento 2.3.3 that resulted in problems with extensions and customizations of the product collection feature that rely on method chaining contracts. The addAttributeToFilter method (in file app/code/Magento/Catalog/Model/ResourceModel/Product/Collection.php) was refactored without a return statement, which broke the method-chaining that is used extensively in customizations of this feature. This patch refactors the method to add the missing return statement and ensure that method chaining works.

An unauthenticated cross-site scripting vulnerability combined with an authenticated Phar deserialization vulnerability has left older versions of Magento Commerce and Magento Open Source open to serious exploit. An attacker can use these vulnerabilities to inject JavaScript into the Magento Admin, and subsequently launch malicious code in a store user’s browser. We strongly recommend that all users of the affected versions of Magento download and apply the appropriate patch as soon as possible.

The issue affects the following Magento versions (on prem and cloud):

• Magento Open Source v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
• Magento Commerce v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
• Magento Commerce Cloud v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases

This patch resolves an issue with the Async and Bulk APIs, which in certain versions of Magento do not provide the information needed to update or create data for specific stores. Without this patch, the Async/Bulk REST APIs will support the default store view scope only.

Affected Magento versions are: Magento Open Source v2.3.2, 2.3.1

An issue has been discovered in Magento Open Source and Magento Commerce that can be used to disclose the URL location of a Magento Admin panel. While there is currently no reason to believe this issue would lead to a compromise directly, knowing the URL location could make it easier to automate attacks. To help prevent against potential attacks, Magento has released patches for this issue. For complete details, install instructions, and recommendations, see: https://magento.com/security/security-update-potential-vulnerability-magento-admin-url-location

This patch provides a replacement for the deprecated Google Image Charts service that Magento uses for all 2.x instances and replaces it with the Image-Charts free service. Users of Magento 2.x deployments will not be able to view static charts in Magento 2.x instances unless they download and apply this patch. See Switch from deprecated Google Image Charts to Image-Charts for Magento for more information.

This patch provides protection against the SQL injection vulnerability described under PRODSECBUG-2198 here. To quickly protect your store from this vulnerability only, install this patch. However, to apply protection against this vulnerability and others, you must apply the 2.3.1, 2.2.8, or 2.1.17 patch code. We strongly suggest that you install these full patches as soon as you can

This patch updates Authorize.Net Direct Post integration to continue processing payments beyond March 14th 2019 (see MD5 Hash End of Life & Signature Key Replacement). There are additional steps that you need to execute after installing this patch to ensure continued use of Authorize.Net – read more Update Authorize.Net Direct Post from MD5 to SHA-512.

This hot fix resolves issues that merchants experienced with custom attributes after upgrading to Magento 2.2.6. Merchants were not able to save a newly created multiselect or dropdown customer attribute. Additionally, merchants could not edit existing customer attributes from the customer’s account on the storefront.

This patch provides performance optimization for retrieving product attributes in Magento 2.2.5

This patch provides a fix for problems that merchants experienced when trying to change a storefront’s applied theme in Magento 2.2.4 or 2.2.5. See GitHub-14968 for more information. Merchants who are running Magento 2.2.4 should upgrade to 2.2.5 and then apply this patch. Merchants who are running 2.2.5 should apply this patch or upgrade to 2.2.6 when it becomes available.

Resolution of issues that customers were experiencing when upgrading to Magento 2.2.4 in deployments that span multiple websites. Magento multi-store installations were not using the store view-specific values from the store configuration settings if these settings differed from the global default configuration settings. Instead, Magento used the default configuration for all store views. See GitHub-15205 and GitHub-15245 for more detailed discussions of the problems some customers encountered.

Hot fix MAGETWO-67805 provides a fix for the image resizing issue that affects installations of Magento 2.1.6 CE. For details, see Image Resize Issue with Magento version 2.1.6.

Patch MDVA-532 fixes an issue with the Magento composer-installer component that causes upgrades to fail. For details, see Upgrade to Magento version 2.1 (June 22, 2016)

Patch MDVA-449 provides a fix for potential upgrade issues for Magento CE installations running PHP 5.5.x and a specific version of the Magento Setup application (also known as the Updater application). Please review the Required patch for PHP 5.5.x and Setup Application environments (June 2, 2016) Technical Bulletin to assess your need for this patch, and how to apply it, if you do.

Patch MDVA-84 for Magento Community Edition – MDVA-84.zip, .tar.gz, and .tar.bz2, Apply this patch if you are running Magento CE 2.0.1 and your Magento server runs 7.0.1 or PHP 7.0.2. It adds support for PHP 7.0.2 to the updater application. See technical bulletin Issues upgrading to 2.0.1 (Jan. 28, 2016) for more information.