Magento have released a new patch for Magento Commerce 1.14.3.6 and Open Source 1.9.3.6.

SUPEE-10266 is a very important security patch that includes protection against several security-related issues, which include;

  • Closes cross-site request forgery (CSRF)

  • Solves unauthorized data leak

  • Closes authenticated Admin user remote code execution vulnerabilities.

  • Includes fixes for issues with image reloading and payments using one-step checkout.

  • Includes a fix for issues related to checkout with a zero order amount on Magento Commerce (Enterprise Edition).

You can read more on the full specs of the patch here via the Magento Technical Resources Centre.

What you need to do

You must apply this new security patch as soon as possible. It can be downloaded from https://www.magentocommerce.com/download

If your current development partner or inhouse development team hasn't already got this on their backlog we would recommend prioritising this task as soon as possible.