SUPEE-10266, Magento Commerce 1.14.3.6 and Open Source 1.9.3.6 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. These releases also include fixes for issues with image reloading and payments using one-step checkout.

Information on all the changes in 1.14.3.6 and 1.9.3.6 releases is available in the Magento Commerce and Magento Open Source release notes.

Patches and upgrades are available for the following Magento versions:

Magento Commerce 1.9.0.0-1.14.3.4: SUPEE-10266 or upgrade to Magento Commerce 1.14.3.6

Magento Open Source 1.5.0.0-1.9.3.4: SUPEE-10266 or upgrade to Magento Open Source 1.9.3.6

Note: SUPEE-10266 for Magento Commerce (Enterprise Edition) includes a fix for a functional issues MPERF-9685, related to checkout with a zero order amount. This fix is not included in release 1.14.3.6. However, in some cases, SUPEE-10266 can cause issues in the checkout process. Specifically, if a customer enables the Add gift options checkbox during checkout, the checkout process will not progress beyond the payments step. Magento released a fix for this issue as a new patch SUPEE-10348, that needs to be installed on top of SUPEE-10266.

To download a patch or release, choose from the following options:

Partners:

Magento Commerce 1.14.3.6 Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Version 1.x Releases > Version 1.14.3.6 SUPEE-10266 Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – September 2017

Magento Commerce Merchants:

Magento Commerce 1.14.3.6 My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Version

1.x Releases > Version 1.14.3.6 SUPEE-10266 My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – September 2017

Magento Open Source Merchants: