The Highest Commit Count in the Dataset
Magento logs 6,767 commits per year. That is the highest commit velocity of any framework WebPulse tracks — higher than Next.js (5,751), higher than Angular (3,950), higher than Spring (2,219). Adobe, which acquired Magento in 2018 for $1.68 billion, has not underinvested in engineering. By raw development activity, Magento is the most actively maintained framework in the ecosystem.
And yet Magento carries 288 known CVEs, ranks among the bottom third of frameworks by WebPulse score, and has been the subject of multiple CISA Known Exploited Vulnerabilities directives. The disconnect between engineering input and security output is the defining characteristic of Magento's architecture.
288 CVEs Despite Maximum Effort
Magento's 288 CVEs place it fifth in the WebPulse vulnerability dataset, behind WordPress (18,333), Drupal (1,376), Joomla (1,313), and Django (294). But Magento's position is uniquely troubling because of what it reveals about the relationship between investment and outcomes.
Django has 294 CVEs against 1,039 annual commits — a ratio of 0.28 CVEs per commit. Magento has 288 CVEs against 6,767 commits — a ratio of 0.04. On the surface, Magento's ratio looks better. But the interpretation is inverted: Magento requires 23.5 commits for every CVE in its history, meaning massive engineering effort is consumed by complexity management, compatibility maintenance, and the architectural overhead of a monolithic e-commerce platform. Django achieves comparable security outcomes with one-sixth the engineering effort.
12,136 Stars Tell the Adoption Story
Despite having the highest commit velocity in the ecosystem, Magento has only 12,136 GitHub stars. That places it below Eleventy (19,732), a static site generator maintained largely by one person. It is below HTMX (48,239), a library that logged 122 commits last year. GitHub stars are an imperfect metric, but at this scale, the discrepancy is meaningful: the developer community is not choosing Magento for new projects.
Magento's 259 contributors are dwarfed by frameworks with far fewer commits. React has 411 contributors producing 1,042 commits. Vue has 441 contributors producing 391 commits. Magento's 259 contributors producing 6,767 commits means each contributor averages 26 commits per year — the highest per-contributor workload in the dataset. This is not a sign of productivity. It is a sign of a small, overextended team maintaining a codebase that demands constant attention.
The E-Commerce Platform Tax
Magento is not a web framework in the way React or Django are frameworks. It is a full e-commerce platform — product catalog, shopping cart, checkout, payment processing, inventory management, order fulfillment, and customer accounts — bundled into a single deployable monolith. Every one of those subsystems is an attack surface. Every integration point is a potential vulnerability.
Modern e-commerce architectures have moved toward headless commerce — API-first backends paired with lightweight frontends built on Next.js, Astro, or Nuxt. This architectural pattern reduces the attack surface by decomposing the monolith into independently secured services. Magento's 6,767 annual commits are, in large part, the cost of maintaining an architecture that the industry has moved beyond.
What the Numbers Mean for Budget Holders
Adobe's engineering investment in Magento is real and substantial. The 6,767 annual commits represent millions of dollars in developer time. But for a CTO evaluating e-commerce infrastructure, the question is not whether Adobe is investing — it clearly is. The question is whether that investment is producing security outcomes proportional to its cost. With 288 CVEs, CISA KEV entries, and a star count that suggests the next generation of developers is building elsewhere, the data points to a platform where engineering effort is consumed by architectural gravity rather than producing forward progress.
