Magento 2 Composer.lock Audit

Client-Ready Magento 2 Security Report

Built for Magento agencies and maintainers. Upload a composer.lock and get a client-ready PDF: outdated/vulnerable modules, CVE mapping, vendor risk summary, core status, and upgrade recommendations.

Upload composer.lock

This audit analyzes only what is recorded in your composer.lock file.
If your Magento instance modifies core files, applies patches manually, or bypasses Composer, the audit cannot detect those changes.

Drop your composer.lock

Max 5 MB. Latest version + CVE data will be filled by backend later.

Choose file

Uploading file, please wait…

Latest CVEs

Vulns

GHSA-595p-g7xc-c333 2026-01-14

Algolia Search & Discovery for Magento 2 Has Untrusted Data Handling
CVE-2025-69277 2025-12-31

libsodium has Incomplete List of Disallowed Inputs
CVE-2025-67746 2025-12-30

Composer is vulnerable to ANSI sequence injection
CVE-2025-14761 2025-12-18

AWS SDK for PHP's S3 Encryption Client has a Key Commitment Issue
CVE-2025-64500 2025-11-12

Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass
CVE-2025-54264 2025-10-14

Magento vulnerable to stored Cross-Site Scripting (XSS)
CVE-2025-54263 2025-10-14

Magento provides incorrect authorization through a security feature bypass
CVE-2025-54266 2025-10-14

Magento vulnerable to stored Cross-Site Scripting (XSS)
CVE-2025-54267 2025-10-14

Magento vulnerable to privilege escalation due to incorrect authorization
CVE-2025-54265 2025-10-14

Magento allows incorrect authorization
CVE-2025-54236 2025-09-09

Magento Community Edition Improper Input Validation vulnerability
CVE-2025-49555 2025-08-12

Magento Cross-Site Request Forgery (CSRF) vulnerability
CVE-2025-49556 2025-08-12

Magento has incorrect authorization issue that leads to arbitrary file system read
CVE-2025-49557 2025-08-12

Magento Cross-site Scripting vulnerability
CVE-2025-49559 2025-08-12

Magento vulnerable to path traversal
CVE-2025-49558 2025-08-12

Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
CVE-2025-49554 2025-08-12

Magento vulnerable to denial of service
CVE-2025-49549 2025-06-26

Magento Authenticated Security feature bypass
CVE-2025-49550 2025-06-26

Magento Security feature bypass
CVE-2025-47110 2025-06-10

Magneto contains stored XSS vulnerability

No scans yet

Upload a composer.lock to create the first scan and watch it move from pending -> running -> finished.

Preview sample reports:

View sample HTML Download sample PDF

FAQ

Common questions

Tap to toggle answers. Questions are extra large for quick scanning.

1) Is it safe to upload my composer.lock?

Yes. composer.lock only lists package names/versions — no domains, URLs, passwords, API keys, database credentials, customer data, or proprietary code. We scan for outdated/vulnerable dependencies and discard the file after the scan completes.

2) What do you detect in my Magento project?

Version gaps in Magento core/modules and vendor modules, abandoned modules, known CVEs, patch level, version-gap risk, missing updates, and latest monthly CVEs that may affect your site.

3) What do I get in the paid report?

Full report ($99) with complete outdated/vulnerable module list, detailed CVE mapping, vendor risk summary (Amasty, Aheadworks, Mirasvit, …), Magento core status, upgrade recommendations, shareable PDF, and recept.

4) Can you identify my store from composer.lock?

No. composer.lock has no domain, base URL, environment info, server IP, or admin URL. We cannot trace your site.

5) Do you store my composer.lock file?

No. Parsed in-memory and discarded after the scan.

6) How long does the scan take?

Typically 3–7 seconds depending on module count, vendor complexity, and packagist availability.

7) What does the free scan include?

Totals for modules detected, outdated modules, vulnerable modules, abandoned modules, Magento core status, and latest CVE matches. Full details are in the paid report.

8) How much does the full report cost?

One-time $99 USD.

9) Is there a refund policy?

Yes. 7-day no-questions-asked refund—reply to the receipt email within 7 days.

10) What happens after I purchase?

Complete Stripe payment, immediately receive the download link, and get the receipt via email.