Skip to content
Business Efficiency

Magento: 3 CISA KEV Entries, 0.97 EPSS Score. Adobe Paid $1.68B.

Adobe Commerce carries 288 CVEs. Its highest exploitation probability is 97%. Federal agencies must patch.

· 4 min read
Share on X LinkedIn
Magento: 3 CISA KEV Entries, 0.97 EPSS Score. Adobe Paid $1.68B.

The Price Tag and the Patch List

In May 2018, Adobe acquired Magento for $1.68 billion, folding a widely deployed open-source e-commerce platform into its Experience Cloud suite. The rebrand to Adobe Commerce followed. The vulnerability trajectory did not change. Magento carries 288 CVEs in the National Vulnerability Database. Three of those CVEs appear in CISA's Known Exploited Vulnerabilities catalog — the federal government's binding directive list that mandates remediation timelines for all civilian executive branch agencies.

KEV inclusion is not speculative. It means confirmed exploitation in the wild. When CISA adds a vulnerability to the KEV catalog, federal agencies face mandatory patching deadlines. Private sector organizations are not legally bound by CISA's directives, but the KEV catalog has become a de facto risk indicator for enterprise procurement and cyber insurance underwriting. Three entries is a short list. It is also three more than Shopify's headless commerce stack.

3
CISA KEV entries
Source: CISA Known Exploited Vulnerabilities Catalog (June 2026)
0.97
Highest EPSS score
97% probability of exploitation within 30 days. Source: FIRST.org EPSS (June 2026)
288
Total CVEs
Source: NVD/NIST (June 2026)

What a 0.97 EPSS Score Means

The Exploit Prediction Scoring System, maintained by FIRST.org, assigns a probability that a given CVE will be exploited in the wild within the next 30 days. The scale runs from 0 to 1. Magento's highest EPSS score is 0.97 — placing it in the top fraction of a percent of all scored vulnerabilities globally. A 97% exploitation probability is not a theoretical risk assessment. It is a near-certainty, derived from observed attack patterns, available exploit code, and real-world telemetry.

For organizations operating Adobe Commerce instances, this score attaches a quantifiable probability to breach exposure. Cyber insurers increasingly reference EPSS alongside CVSS when evaluating policyholder risk. A platform with a 0.97 on any single vulnerability is not a platform with a manageable risk profile — it is a platform where the question is not whether exploitation occurs but whether the organization detects it in time.

The $1.68 Billion Inheritance

Adobe's acquisition rationale centered on commerce experience, not security posture. Eight years later, the platform's CVE count has grown, its KEV entries have accumulated, and its EPSS scores reflect active targeting by threat actors. The $1.68 billion bought market share and merchant install base. It also bought a security surface area that Adobe has spent nearly a decade managing through patch cycles.

$1.68B
Adobe acquisition price
Source: Adobe Inc. press release (May 2018)

Global e-commerce is a $3.4 trillion market in 2026. The platforms underpinning that market carry vastly different security profiles. Shopify's managed infrastructure model means merchants never see CVE advisories — the platform handles patching invisibly. WooCommerce inherits WordPress's 18,000+ CVE catalog. Magento sits in a middle ground where the platform is nominally managed by Adobe but deployed across thousands of self-hosted instances where patching discipline varies widely.

$3.4T
Global e-commerce market
Source: eMarketer (2026)

The Procurement Signal

CISA's KEV catalog was designed to drive federal patching. Its secondary effect has been to create a public, authoritative risk signal that procurement teams and compliance officers reference during vendor evaluation. Three KEV entries for a commerce platform means three instances where exploitation was confirmed, documented, and elevated to a federal mandate. Organizations evaluating their e-commerce infrastructure now have a concrete metric: how many of your platform's vulnerabilities required a government directive to remediate?

The answer for Hugo-based headless commerce: zero. For Next.js commerce stacks: zero KEV entries. For Magento: three, with exploitation probabilities that approach certainty. The frame is still ornate. What it holds continues to deteriorate.

Share this insight