The Price Tag and the Patch List
In May 2018, Adobe acquired Magento for $1.68 billion, folding a widely deployed open-source e-commerce platform into its Experience Cloud suite. The rebrand to Adobe Commerce followed. The vulnerability trajectory did not change. Magento carries 288 CVEs in the National Vulnerability Database. Three of those CVEs appear in CISA's Known Exploited Vulnerabilities catalog — the federal government's binding directive list that mandates remediation timelines for all civilian executive branch agencies.
KEV inclusion is not speculative. It means confirmed exploitation in the wild. When CISA adds a vulnerability to the KEV catalog, federal agencies face mandatory patching deadlines. Private sector organizations are not legally bound by CISA's directives, but the KEV catalog has become a de facto risk indicator for enterprise procurement and cyber insurance underwriting. Three entries is a short list. It is also three more than Shopify's headless commerce stack.
What a 0.97 EPSS Score Means
The Exploit Prediction Scoring System, maintained by FIRST.org, assigns a probability that a given CVE will be exploited in the wild within the next 30 days. The scale runs from 0 to 1. Magento's highest EPSS score is 0.97 — placing it in the top fraction of a percent of all scored vulnerabilities globally. A 97% exploitation probability is not a theoretical risk assessment. It is a near-certainty, derived from observed attack patterns, available exploit code, and real-world telemetry.
For organizations operating Adobe Commerce instances, this score attaches a quantifiable probability to breach exposure. Cyber insurers increasingly reference EPSS alongside CVSS when evaluating policyholder risk. A platform with a 0.97 on any single vulnerability is not a platform with a manageable risk profile — it is a platform where the question is not whether exploitation occurs but whether the organization detects it in time.
The $1.68 Billion Inheritance
Adobe's acquisition rationale centered on commerce experience, not security posture. Eight years later, the platform's CVE count has grown, its KEV entries have accumulated, and its EPSS scores reflect active targeting by threat actors. The $1.68 billion bought market share and merchant install base. It also bought a security surface area that Adobe has spent nearly a decade managing through patch cycles.
Global e-commerce is a $3.4 trillion market in 2026. The platforms underpinning that market carry vastly different security profiles. Shopify's managed infrastructure model means merchants never see CVE advisories — the platform handles patching invisibly. WooCommerce inherits WordPress's 18,000+ CVE catalog. Magento sits in a middle ground where the platform is nominally managed by Adobe but deployed across thousands of self-hosted instances where patching discipline varies widely.
The Procurement Signal
CISA's KEV catalog was designed to drive federal patching. Its secondary effect has been to create a public, authoritative risk signal that procurement teams and compliance officers reference during vendor evaluation. Three KEV entries for a commerce platform means three instances where exploitation was confirmed, documented, and elevated to a federal mandate. Organizations evaluating their e-commerce infrastructure now have a concrete metric: how many of your platform's vulnerabilities required a government directive to remediate?
The answer for Hugo-based headless commerce: zero. For Next.js commerce stacks: zero KEV entries. For Magento: three, with exploitation probabilities that approach certainty. The frame is still ornate. What it holds continues to deteriorate.


