Generate a patch-status report
Use Commerce Version Tool (CVT) to generate a patch-status report for an Adobe Commerce installation. The report identifies applied, missing, and unknown monthly security patches and returns JSON output by default.
Prerequisites
Before running CVT, confirm that:
- The target installation uses a supported Adobe Commerce version and edition.
composer.lockis present and matches the environment you want to inspect.- PHP and the system
patchbinary are available. - You can read the project files from the environment where you run the command.
- The tool can write to
var/patch_metadata/andvar/log/if you want cache files and audit-log entries. - Credentials are available through
COMPOSER_AUTHorauth.jsonif entitlement-gated patches apply to the installation.
The CVT tool checks COMPOSER_AUTH, the Adobe Commerce project auth.json, and the global Composer auth.json for entitlement-gated patch credentials.
Generate the report
From the Adobe Commerce project root, run:
php vendor/bin/patch-status
To check a different Adobe Commerce installation, use the --root option:
php vendor/bin/patch-status --root=/path/to/commerce
Command options
JSON is the default output format. CSV output is supported for scanners, dashboards, and compliance reports.
--root=PATH--format=json|csvjson.--no-cache--version, -V--help, -hReview JSON and CSV output
The following sample shows default JSON output.
php vendor/bin/patch-status
{
"base_version": "2.4.7-p9",
"installed_components": {
"CE": "2.4.7-p9",
"EE": "2.4.7-p9",
"B2B": "1.5.2-p5"
},
"applied_patches": [
"247p9-2026-05-001-CE",
"247p9-2026-05-001-EE"
],
"missing_patches": [
"247p9-2026-06-001-CE",
"247p9-2026-06-001-EE"
],
"unknown_patches": [],
"vulnerability_status": {
"CVE-2026-12354": { "status": "PROTECTED" },
"CVE-2026-67890": { "status": "VULNERABLE" }
},
"registry_source": "remote",
"warnings": []
}
To generate CSV output, use the --format=csv option:
php vendor/bin/patch-status --format=csv
CSV output produces one row per CVE and is suitable for spreadsheets, scanners, dashboards, and compliance tooling.
Understand report results
Review missing and unknown patches before making security-status claims.
Patch status values
The patch-status report groups patch results by the following values:
CVE status values
JSON output reports CVE status values in uppercase.
PROTECTEDVULNERABLEUNKNOWNNOT_APPLICABLEKey output fields
The report can include the following information:
- Base Adobe Commerce version - The installed base version detected from
composer.lock. - Registry source - Whether patch metadata came from
remote,cache, orstale_cache. - Installed components - Adobe Commerce package areas detected from
composer.lock. - Applied patches - Monthly security patches detected in the Adobe Commerce codebase.
- Missing patches - Monthly security patches that apply but are not detected.
- Unknown patches - Patches that the CVT tool cannot classify.
- Vulnerability status by CVE - CVE coverage mapped to protected, vulnerable, not applicable, or unknown status.
- Warnings - Conditions that might affect the reliability or completeness of the report.
Patch registry and cache
The patch registry file contains the patch metadata that the CVT tool uses to determine which patches apply to an installed version. The tool uses a fresh registry cache when available, fetches the remote registry when needed, and can use a stale cache with a warning if the network is unavailable. Use --no-cache only when you require fresh remote fetches.