Magebean Logo Magebean Console Security Monitoring for Magento Agencies

Magento 2 Composer.lock Audit

Client-Ready Magento 2 Security Report

Built for Magento agencies and maintainers. Upload a composer.lock and get a client-ready PDF: outdated/vulnerable modules, CVE mapping, vendor risk summary, core status, and upgrade recommendations.

Upload composer.lock

This audit analyzes only what is recorded in your composer.lock file.
If your Magento instance modifies core files, applies patches manually, or bypasses Composer, the audit cannot detect those changes.

Uploading file, please wait…

Latest CVEs

Vulns
  • CVE-2026-25129 2026-01-30

    PsySH has Local Privilege Escalation via CWD .psysh.php auto-load

  • CVE-2026-24739 2026-01-28

    Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows

  • CVE-2026-24765 2026-01-27

    PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling

  • GHSA-595p-g7xc-c333 2026-01-14

    Algolia Search & Discovery for Magento 2 Has Untrusted Data Handling

  • CVE-2025-69277 2025-12-31

    libsodium has Incomplete List of Disallowed Inputs

  • CVE-2025-67746 2025-12-30

    Composer is vulnerable to ANSI sequence injection

  • CVE-2025-14761 2025-12-18

    AWS SDK for PHP's S3 Encryption Client has a Key Commitment Issue

  • CVE-2025-64500 2025-11-12

    Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass

  • CVE-2025-54264 2025-10-14

    Magento vulnerable to stored Cross-Site Scripting (XSS)

  • CVE-2025-54263 2025-10-14

    Magento provides incorrect authorization through a security feature bypass

  • CVE-2025-54266 2025-10-14

    Magento vulnerable to stored Cross-Site Scripting (XSS)

  • CVE-2025-54267 2025-10-14

    Magento vulnerable to privilege escalation due to incorrect authorization

  • CVE-2025-54265 2025-10-14

    Magento allows incorrect authorization

  • CVE-2025-54236 2025-09-09

    Magento Community Edition Improper Input Validation vulnerability

  • CVE-2025-49555 2025-08-12

    Magento Cross-Site Request Forgery (CSRF) vulnerability

  • CVE-2025-49556 2025-08-12

    Magento has incorrect authorization issue that leads to arbitrary file system read

  • CVE-2025-49557 2025-08-12

    Magento Cross-site Scripting vulnerability

  • CVE-2025-49559 2025-08-12

    Magento vulnerable to path traversal

  • CVE-2025-49558 2025-08-12

    Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability

  • CVE-2025-49554 2025-08-12

    Magento vulnerable to denial of service

No scans yet

Upload a composer.lock to create the first scan and watch it move from pending -> running -> finished.

Preview sample reports:

View sample HTML Download sample PDF

FAQ

Common questions

Tap to toggle answers. Questions are extra large for quick scanning.

1) Is it safe to upload my composer.lock?
Yes. composer.lock only lists package names/versions — no domains, URLs, passwords, API keys, database credentials, customer data, or proprietary code. We scan for outdated/vulnerable dependencies and discard the file after the scan completes.
2) What do you detect in my Magento project?
Version gaps in Magento core/modules and vendor modules, abandoned modules, known CVEs, patch level, version-gap risk, missing updates, and latest monthly CVEs that may affect your site.
3) What do I get in the paid report?
Full report ($99) with complete outdated/vulnerable module list, detailed CVE mapping, vendor risk summary (Amasty, Aheadworks, Mirasvit, …), Magento core status, upgrade recommendations, shareable PDF, and recept.
4) Can you identify my store from composer.lock?
No. composer.lock has no domain, base URL, environment info, server IP, or admin URL. We cannot trace your site.
5) Do you store my composer.lock file?
No. Parsed in-memory and discarded after the scan.
6) How long does the scan take?
Typically 3–7 seconds depending on module count, vendor complexity, and packagist availability.
7) What does the free scan include?
Totals for modules detected, outdated modules, vulnerable modules, abandoned modules, Magento core status, and latest CVE matches. Full details are in the paid report.
8) How much does the full report cost?
One-time $99 USD.
9) Is there a refund policy?
Yes. 7-day no-questions-asked refund—reply to the receipt email within 7 days.
10) What happens after I purchase?
Complete Stripe payment, immediately receive the download link, and get the receipt via email.