{"id":13518984,"url":"https://github.com/sansecio/magevulndb","last_synced_at":"2026-03-12T22:15:14.532Z","repository":{"id":37450548,"uuid":"160542079","full_name":"sansecio/magevulndb","owner":"sansecio","description":"List of Magento extensions with known security issues. ","archived":false,"fork":false,"pushed_at":"2026-01-23T15:07:15.000Z","size":163,"stargazers_count":208,"open_issues_count":10,"forks_count":37,"subscribers_count":50,"default_branch":"master","last_synced_at":"2026-03-10T16:32:41.268Z","etag":null,"topics":["extensions","magento","vulnerability"],"latest_commit_sha":null,"homepage":"https://sansec.io","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sansecio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2018-12-05T15:52:14.000Z","updated_at":"2026-01-23T15:07:19.000Z","dependencies_parsed_at":"2024-08-13T00:22:41.915Z","dependency_job_id":"0f8d384b-4f4d-46f8-9083-b0393ccf3d66","html_url":"https://github.com/sansecio/magevulndb","commit_stats":null,"previous_names":["gwillem/magevulndb"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/sansecio/magevulndb","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sansecio%2Fmagevulndb","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sansecio%2Fmagevulndb/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sansecio%2Fmagevulndb/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sansecio%2Fmagevulndb/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sansecio","download_url":"https://codeload.github.com/sansecio/magevulndb/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sansecio%2Fmagevulndb/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30446433,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-12T21:31:01.033Z","status":"ssl_error","status_checked_at":"2026-03-12T21:30:43.161Z","response_time":114,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["extensions","magento","vulnerability"],"created_at":"2024-08-01T05:01:51.656Z","updated_at":"2026-03-12T22:15:14.514Z","avatar_url":"https://github.com/sansecio.png","language":"PHP","funding_links":[],"categories":["PHP","Security"],"sub_categories":["Free"],"readme":"# Magento Vulnerability Database\n\nList of Magento 1 and 2 integrations with known security issues. **Objective: easily identify insecure 3rd party software in your Magento code base.** See our blog for the rationale: [Bad extensions now main source of Magento hacks \u0026 a solution](https://sansec.io/research/magento-module-blacklist)\n\n![n98-magerun dev:module:security](https://buq.eu/screenshots/kUOyTTWeDIUXUrGU1kqAmqu5.png)\n\n# [Magento 1 list](magento1-vulnerable-extensions.csv) / [Magento 2 list](magento2-vulnerable-extensions.csv)\n\nThe list contains these columns:\n\n1. `Vendor_Name` of the module\n    - Reported under M1 using `n98-magerun dev:module:list` or `Mage::getConfig()-\u003egetNode()-\u003emodules`\n    - Reported under M2 using `bin/magento module:status`\n1. The earliest safe version to use. Older entries are considered insecure. \n1. Part of the URL that attackers use to exploit this module. Can be used to search logfiles for malicious activity. (optional)\n1. Reference URL describing the problem. If no public statement is available, then the name of the researcher who discovered it.\n1. URL with upgrade instructions (optional)\n\n# Context\n\nMagento is an attractive target for payment skimmers and the number of attacks has increased steadily since 2015. In 2018, attackers shifted from Magento core exploits (eg, Shoplift, brute force attacks on admin passwords) to [3rd party software components](https://gwillem.gitlab.io/2018/10/23/magecart-extension-0days/). This poses a practical problem: there is no central place where one can (programmatically) find out whether a particular module version has known security issues. This repository solves that!\n\n# Usage\n\nYou can quickly scan your site against this repository using a Magerun module or a single-line command. Both require command line or SSH access to the server. Magerun is recommended as it can be easily scheduled or used on an ongoing basis, and provides better output. Both approaches load the latest vulnerability data on every run.\n\n### Magerun module (recommended)\n\n1. [Install n98-magerun](https://github.com/netz98/n98-magerun) for Magento 1 or Magento 2.\n2. Install the Magento Vulnerability Database plugin:\nFor Magento 1:\n```\nmkdir -p ~/.n98-magerun/modules\ncd ~/.n98-magerun/modules\ngit clone https://github.com/gwillem/magevulndb.git\n```\nFor Magento 2:\n```\nmkdir -p ~/.n98-magerun2/modules\ncd ~/.n98-magerun2/modules\ngit clone https://github.com/gwillem/magevulndb.git\n```\n\n\n3. Scan your Magento install:\n```\nn98-magerun.phar dev:module:security\n```\n\nYou can also use the `-q` flag to limit output to findings only.\n```\nn98-magerun.phar dev:module:security -q\n```\n\nYou can check the exit code, for example to fail a build when a vulnerable module is detected:\n\n* exit code `0`: no known vulnerabilities found\n* exit code `1`: known vulnerabilities found\n* exit code `2`: vulnerability data could not be loaded\n\n### No magerun installed under Magento 1?\n\nTo quickly check a Magento installation for vulnerable modules, run this command in SSH **at your Magento 1 site root**:\n\n    php -r 'require_once(\"app/Mage.php\");Mage::app();$config=Mage::getConfig()-\u003egetNode()-\u003emodules;$found=array();$list=fopen(\"https://raw.githubusercontent.com/gwillem/magevulndb/master/magento1-vulnerable-extensions.csv\",\"r\");while($list\u0026\u0026list($name,$version)=list($row[\"module\"],$row[\"fixed_in\"],,$row[\"reference\"],$row[\"update\"])=fgetcsv($list)){if(isset($name,$version,$config-\u003e{$name},$config-\u003e{$name}-\u003eversion)\u0026\u0026(empty($version)||version_compare($config-\u003e{$name}-\u003eversion,$version,\"\u003c\"))){$found[]=$row;}}if($found){echo \"Found possible vulnerable modules: \".print_r($found,1);}else{echo \"No known vulnerable modules detected.\";}'\n\nYou can check the exit code, for example to fail a build when a vulnerable module is detected:\n\n* exit code `0`: no known vulnerabilities found\n* exit code `1`: known vulnerabilities found\n\nThis script only works under Magento 1. For Magento 2, use Magerun instead.\n\n# Contributing\n\nContributions welcome. Requirements:\n\n- Either \"name\" or \"uri\" (in case of exploitation in the wild) is required.\n- A reputable, verifiable source is required.\n- In case of admin URL disclosure: the issue is not fixed by disabling the [security compatibility mode](https://magento.stackexchange.com/questions/88435/admin-routing-compatibility-mode-for-extensions-enable-or-disable)\n\nOnly security issues that have *verified proof* or are being *actively exploited* in the wild should be considered. \n\nPlease consider *responsible disclosure* before submitting zero-day vulnerabilities. If no immediate abuse is likely, please notify the vendor first and allow 30 days for a patch \u0026 release statement. \n\n# FAQ\n\n### Why a new repository?\n\nThere are many good initiatives already, however they either lack a simple web GUI, are too complicated to maintain or do not cover all extensions out there. For Magento 2, there is already excellent support via composer, please refer to [Roave's SecurityAdvisories](https://github.com/Roave/SecurityAdvisories) for automated composer integration. Still, Roave's approach requires you to run a composer command to check for new updates. With this Magerun command, you can leave the composer files untouched. Obviously, it also works on Magento 1 and 2 installs that are not managed by composer at all.\n\n### What if a module has multiple security issues over time?\n\nWe register the newest only and advice everybody to upgrade to the latest version. If people want to stick to an older (possible insecure) version, they should study the relevant changelogs. \n\n### What about modules that are known under several names?\n\nThe name as registered in the code (and output by `n98-magerun dev:module:list`) is leading. If a module is known under several (code) names, then we should create duplicate entries, so that automated tools will not ignore such an entry.\n\n### What if I don't know the module name?\n\nIf you have a URL that is being attacked but don't know what module it belongs to, submit it but leave the name \"`?`\". It will be backfilled when the actual module is identified.\n\n### There are multiple sources, which should I use?\n\nIf the vendor has issued a security statement, that should be leading. Otherwise, a statement by a security researcher (Blog/Twitter) can be used. If a vendor has issued a statement that is false or misleading, an independent statement should take precedence. \n\n### We could add more information X?\n\nIndeed, but the main advantage of a simple CSV with few columns is that it's easy to browse, maintain and extend. Other projects have stalled because there is too much overhead in vulnerability administration. The primary objective of this repository is to support a n98-magerun command. If people want more information, they can look it up via the referenced source. \n\n### What is the Relevant URI column for?\n\nThis can be used by tools to filter \"suspicious\" web traffic from the logs, for example to check if malicious activity has already taken place. The URI should be enough to uniquely match the module's vulnerable URL(s), if possible.    \n\n### What if there are multiple relevant URLs?\n\nSeperate them with a \";\"\n\n### What if a module does not have version numbers?\n\nUse the date of the fix in YYYY-MM-DD notation.\n\n### What if the vendor provides a fix but does not update the version number?\n\nSome Magento 1 modules, such as Mirasvit ([discussion](https://github.com/gwillem/magevulndb/pull/40)) do not use the standard version numbering, so vulnerable versions cannot be automatically detected. To eliminate false alarms, all such modules are prefixed with an underscore, so the automatic module parser will not recognize them. It is suboptimal but better than not storing information at all. \n\n# Acknowledgements\n\nThese Magento/security professionals have contributed valuable research and code:\n\n- Ryan Hoerr - ParadoxLabs\n- Peter O'Callaghan\n- Max Chadwick - Something Digital\n- Jeroen Vermeulen - MageHost.pro\n- Roland Walraven - MageHost.pro\n- Martin Pachol - MageMojo\n- Jisse Reitsma - Yireo\n- [Niko Granö](https://xn--gran-8qa.fi) - [Lamia.fi](https://lamia.fi/en/)\n- Martien Mortiaux - [AlterWeb.nl](https://www.alterweb.nl/)\n\n# License\n\nThe information and code of this repository is provided free of charge, without warranty or assumed liability of any kind. Merchants and development agencies are free to use this data to assess their own stores. It is not allowed to use or include this data in commercial products or offerings. \n\n# Contact\n\n[info@sansec.io](mailto:info@sansec.io?subject=magevulndb)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsansecio%2Fmagevulndb","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsansecio%2Fmagevulndb","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsansecio%2Fmagevulndb/lists"}