Is magento/project-community-edition safe to use?

magento/project-community-edition has 146 known vulnerabilities on the latest version (2.0.2). DepScope rates its health at 15/100 (critical risk).

What is the latest version of magento/project-community-edition?

The latest version of magento/project-community-edition is 2.0.2, released 2016-01-28.

Does magento/project-community-edition have known vulnerabilities?

Yes. magento/project-community-edition has 146 known vulnerabilities. See depscope.dev/pkg/composer/magento/project-community-edition for details.

Is magento/project-community-edition deprecated?

No, magento/project-community-edition is actively maintained. Latest release: 2.0.2 (2016-01-28).

What are alternatives to magento/project-community-edition?

DepScope has no curated alternatives for magento/project-community-edition at this time.

What license does magento/project-community-edition use?

magento/project-community-edition is licensed under OSL-3.0.

magento/project-community-edition

composerv2.0.2

eCommerce Platform for Growth (Community Edition)

License OSL-3.0network copyleft53 versions2 deps

magento/magento2-community-edition

/ 100

Health

do not use

magento/project-community-edition has critical vulnerabilities — do not use

Update to >= 2.4.4-p12 to fix known vulnerabilities

Moderate health score (15/100) — verify manually
45 high severity vulnerabilities
15 critical vulnerabilities

Health breakdown0 – 100

0/25

maintenance

0/20

popularity

0/25

security

15/15

maturity

0/15

community

Vulnerabilities

146

15 critical45 high74 medium12 low

Advisories (146)

Severity	ID	Summary	Fixed in
high	CVE-2023-22247	Magento Open Source allows XML Injection	2.4.4-p3
high	CVE-2024-20719	Magento Open Source allows Cross-Site Scripting (XSS)	2.4.4-p7
critical	BIT-magento-2021-21014	Magento vulnerable to a file upload restriction bypass	2.4.2
high	CVE-2025-54264	Magento vulnerable to stored Cross-Site Scripting (XSS)	2.4.6-p13
low	CVE-2023-29294	Magento Open Source has Business Logic Errors Vulnerability	2.4.4-p4
high	CVE-2024-39402	Magento OS Command ('OS Command Injection') vulnerability	2.4.4-p10
medium	BIT-magento-2021-21020	Magento Improper Access Control	2.4.1-p1
critical	CVE-2021-36040	Magento has a file extension restrictions bypass	2.3.7-p1
low	CVE-2025-27192	Magento does not properly protect credentials	2.4.8-beta2
medium	CVE-2023-22251	Magento Open Source allows Incorrect Authorization	2.4.5-p2
low	CVE-2023-29295	Magento Open Source allows Incorrect Authorization	2.4.4-p4
high	CVE-2025-24411	Magento Improper Access Control vulnerability	2.4.4-p12
high	CVE-2021-36043	Magento affected by a blind SSRF vulnerability in the bundled dotmailer extension	2.4.2-p2
medium	BIT-magento-2021-28556	Magento DOM-based Cross-Site Scripting vulnerability on mage-messages cookies	2.3.7
low	BIT-magento-2020-24403	Magento incorrect user permissions vulnerability within the Inventory component	2.4.1
medium	CVE-2025-24408	Magento Information Exposure vulnerability	2.4.4-p12
medium	CVE-2021-36012	Magento affected by a business logic error in the placeOrder graphql mutation	2.4.2-p2
medium	CVE-2021-36039	Magento discloses sensitive information	2.4.2-p2
low	CVE-2023-38219	Magento Open Source allows Cross-Site Scripting (XSS)	2.4.4-p6
low	CVE-2023-29296	Magento Open Source allows Incorrect Authorization	2.4.4-p4

... and 126 more

Threat intelligence

1 actively exploited (CISA KEV)

Threat tier per vulnerability derived from CISA KEV catalog + FIRST.org EPSS scores.

Health History

Dependency Tree

License Audit

Dependencies (2)

magento/product-community-edition composer/composer

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/composer/magento/project-community-edition

Last updated · 2016-01-28T23:14:06+00:00

Severity

Summary

Fixed in

high

CVE-2023-22247

Magento Open Source allows XML Injection

2.4.4-p3

high

CVE-2024-20719

Magento Open Source allows Cross-Site Scripting (XSS)

2.4.4-p7

critical

BIT-magento-2021-21014

Magento vulnerable to a file upload restriction bypass

2.4.2

high

CVE-2025-54264

Magento vulnerable to stored Cross-Site Scripting (XSS)

2.4.6-p13

low

CVE-2023-29294

Magento Open Source has Business Logic Errors Vulnerability

2.4.4-p4

high

CVE-2024-39402

Magento OS Command ('OS Command Injection') vulnerability

2.4.4-p10

medium

BIT-magento-2021-21020

Magento Improper Access Control

2.4.1-p1

critical

CVE-2021-36040

Magento has a file extension restrictions bypass

2.3.7-p1

low

CVE-2025-27192

Magento does not properly protect credentials

2.4.8-beta2

medium

CVE-2023-22251

Magento Open Source allows Incorrect Authorization

2.4.5-p2

low

CVE-2023-29295

Magento Open Source allows Incorrect Authorization

2.4.4-p4

high

CVE-2025-24411

Magento Improper Access Control vulnerability

2.4.4-p12

high

CVE-2021-36043

Magento affected by a blind SSRF vulnerability in the bundled dotmailer extension

2.4.2-p2

medium

BIT-magento-2021-28556

Magento DOM-based Cross-Site Scripting vulnerability on mage-messages cookies

2.3.7

low

BIT-magento-2020-24403

Magento incorrect user permissions vulnerability within the Inventory component

2.4.1

medium

CVE-2025-24408

Magento Information Exposure vulnerability

2.4.4-p12

medium

CVE-2021-36012

Magento affected by a business logic error in the placeOrder graphql mutation

2.4.2-p2

medium

CVE-2021-36039

Magento discloses sensitive information

2.4.2-p2

low

CVE-2023-38219

Magento Open Source allows Cross-Site Scripting (XSS)

2.4.4-p6

low

CVE-2023-29296

Magento Open Source allows Incorrect Authorization

2.4.4-p4