Magento PolyShell Flaw Enables Unauthenticated Uploads, RCE and Account Takeover

2026-03-20

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

Sansec has disclosed a critical Magento REST API vulnerability dubbed PolyShell that allows unauthenticated attackers to upload arbitrary executables and achieve remote code execution or account takeover.

•The flaw exists in Magento's cart item custom options, where the REST API accepts base64-encoded file uploads with a user-supplied filename and MIME type, writing them to pub/media/custom_options/quote/
•Depending on server configuration, exploitation can lead to PHP-based RCE or stored XSS-based account takeover by disguising malicious code as an image
•All Magento Open Source and Adobe Commerce versions up to 2.4.9-alpha2 are affected; Adobe patched it in the 2.4.9 pre-release branch (APSB25-94) but has not issued an isolated patch for production versions
•Mitigations include restricting access to the upload directory and verifying nginx/Apache rules, though Sansec warns this does not prevent uploads without a WAF

Magento PolyShell Flaw Enables Unauthenticated Uploads, RCE and Account Takeover

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture