23rd February 2016 Update: The patch has been updated to V1.1, which fixes a number of important issues listed in this post, here is the list:

Cart Merge Patch (SUPEE-7978) : Carts with identical items now merge correctly. Previously, when a cart with one item was merged with another cart that contained the same item, Magento did not merge the cart totals correctly. The cart now includes only one item, and the total is correct.

: Carts with identical items now merge correctly. Previously, when a cart with one item was merged with another cart that contained the same item, Magento did not merge the cart totals correctly. The cart now includes only one item, and the total is correct. SOAP API Patch (SUPEE-7822) : The Magento SOAP API now works as expected. Previously after installing the SUPEE-7405 v1.0 patch, an API request would cause a 500 error, and Magento would log an exception.

: The Magento SOAP API now works as expected. Previously after installing the SUPEE-7405 v1.0 patch, an API request would cause a 500 error, and Magento would log an exception. PHP 5.3 Compatibility (SUPEE-7882) : The patch was not compatible with PHP 5.3 for earlier versions of Magento that were still supporting this version. Merchants experiencing this issue were unable to view sales information in the Admin.

: The patch was not compatible with PHP 5.3 for earlier versions of Magento that were still supporting this version. Merchants experiencing this issue were unable to view sales information in the Admin. Upload File Permissions : The patch restores less restrictive file permissions (0666 for files and 0777 for directories) as more strict permissions introduced by the original SUPEE-7405 patch caused many merchants not to be able to view uploaded product images, depending on hosting provider configuration.

After digging into the patch, here are the relevant / interesting things I've found (N.B.: this list has been made by analyzing the patch for CE 1.9.2.0-1.9.2.2, there's probably more for patches affecting older versions of Magento) :

(fixed in V1.1 of the patch) The use of [] instead of array() in this patch makes it backward incompatible with PHP < 5.4 (see known issues below)

As stated, most of the changes are html escaping and data sanitizing regarding XSS issues.

regarding XSS issues. Form key validation has been added to the admin login in Mage_Admin_Model_Observer

has been added to the in Form key validation has been added to the admin forgot password in Mage_Adminhtml_IndexController

has been added to the in Form key validation has been added to the admin reset password in Mage_Adminhtml_IndexController

has been added to the in Form key validation has been added to the frontend cart delete action . Form key is added to the getDeleteUrl of Mage_Checkout_Block_Cart_Item_Renderer and validated in the deleteAction of Mage_Checkout_CartController .

has been added to the . Form key is added to the of and validated in the of . Events are now dispatched all lower case (every config files affected have been modified e.g. controller_action_postdispatch_checkout_onepage_saveOrder becomes controller_action_postdispatch_checkout_onepage_saveorder ). This does not affect your local observers configuration . More information here: https://twitter.com/foomanNZ/status/689924329065164800

(every config files affected have been modified e.g. becomes ). This . More information here: https://twitter.com/foomanNZ/status/689924329065164800 A new validator to check if an uploaded file is an image has been added: Mage_Core_Model_File_Validator_Image

has been added: A new Import/Export section appears : System => Configuration =>Advanced > System => Escape CSV Fields

appears : New event dispatched: admin_user_validate under Mage_Admin_Model_User

under SVG is not a valid favicon extension anymore

anymore For those using Authorizenet (I don't) it seems like a few changes have been made, not sure how it impacts the system though. Changes include a new admin helper ( Mage_Authorizenet_Helper_Admin ) used to get the success order url.

(I don't) it seems like a few changes have been made, not sure how it impacts the system though. Changes include a new admin helper ( ) used to get the success order url. New Zend class: Zend_Xml_Security . Its purpose is to scan XML string for potential XXE and XEE attacks. However I did not find any reference to it in the other modified files.

. Its purpose is to scan XML string for potential XXE and XEE attacks. However I did not find any reference to it in the other modified files. Files uploaded via admin panel (i.e. product image upload) are now not world readable by default (before: 777 / after: 640).

panel (i.e. product image upload) (before: 777 / after: 640). Directories are also not world executable (before 755 / after: 750). This two can cause issues with images not appearing on the website if the webserver runs as a different user from php (credits: @Rob Mangiafico)

(before 755 / after: 750). This two can cause issues with images not appearing on the website if the webserver runs as a different user from php (credits: @Rob Mangiafico) Regarding frontend templates: the only modifications made are data escaping, which are not system breakers but still recommended to implement on your custom theme (and there's only two frontend files affected not that much work ;) )

Known issues after patching:

I'll try to keep this list as up to date as possible.

Before starting a new issue/question, please ensure you've applied all the previous patches as it seems like a lot of issues comes from missing patches.

Another thing is: if you have modified core files, applying the patch may fail. If you're having a Hunk # failed at error for a specific file and you're 100% sure you've applied all the previous patches, please ensure you have the original file from your Magento version by checking the mirror: https://github.com/OpenMage/magento-mirror/

List of affected files

It can be found on this page here: https://magento.stackexchange.com/a/98232/2380 (credits @MagenX)

EE Only

If you updated from Magento EE 1.14.2.x to Magento EE 1.14.2.3 instead of applying the patch, and also applied the support patch SUPEE-5984 before, you have to reapply it again because it is not included in the release. => https://magento.stackexchange.com/a/98805/2380

Regarding Patch 7616:

Seems like patches 4291 and 6237 need to be applied before applying the patch. More information here: Apply 7616_EE 7405_EE patch not successfuly

before applying the patch. More information here: Apply 7616_EE 7405_EE patch not successfuly (Patch 5344 had not been applied) Possible problem when applying 7616 before applying 7405: SUPEE 7405 - Hunk #2 Failed at 43

Good resources about Magento patches

Feel free to let me know if I miss something.