Patching Magento SUPEE-10266

SUPEE-10266 is an important security update for Magento to address remote code execution and SQL injection vulnerabilities.

Where to download

Its best downloading the patch from the download section - or via MDA - the Magento download tool (this is what this guide will use).


  • SUPEE-9767

Applying the patch

The application of this patch is relatively straightforward. I'd recommend doing this in staging/development before attempting on live (if you don't have a dev. site follow this guide to create one).

  1. Change directory to your Magento document root and fetch mda.phar (the Magento downloader tool), if using Enterprise, refer to the documentation here to provide your id/token.

     cd /microcloud/data/domains/example/domains/
     wget -O mda.phar --no-check-certificate
     php mda.phar
  2. Select either CE/EE patch as appropriate,

     1:    Ce-patch
     3:    Ee-patch
  3. Select the auto detected version of Magento,

     0: (auto detected)
  4. Select the SUPEE-10266 patch (or press m to download all missing patches),

     17:   Missing     SUPEE-10266 for CE (
  5. Copy the patch to your Magento document root and apply it,

     cp ./downloads/PATCH_SUPEE-10266* .
     bash PATCH_SUPEE-10266*
  6. Clean your Magento cache using MageRun,

     mr_examplecom cache:clean

Known issues

Admin login message

Logging into the admin after an extended period of time will yield,

Invalid Secret Key. Please refresh the page.

This message, whist a nuisance, is believed harmless.

Custom admin themes

Users with custom admin themes will need to ensure the changes made to the following files by the patch are correctly updated. It is recommended to temporarily disable any custom admin theme until updated.

  • app/design/adminhtml/default/default/template/backup/dialogs.phtml
  • app/design/adminhtml/default/default/template/catalog/product/edit/options/type/file.phtml
  • app/design/adminhtml/default/default/template/customer/tab/view.phtml
  • app/design/adminhtml/default/default/template/login.phtml
  • app/design/adminhtml/default/default/template/notification/toolbar.phtml
  • app/design/adminhtml/default/default/template/oauth/authorize/form/login-simple.phtml
  • app/design/adminhtml/default/default/template/oauth/authorize/form/login.phtml
  • app/design/adminhtml/default/default/template/resetforgottenpassword.phtml
  • app/design/adminhtml/default/default/template/sales/order/view/history.phtml
  • app/design/adminhtml/default/default/template/sales/order/view/info.phtml