{"id":336,"date":"2026-03-20T12:59:10","date_gmt":"2026-03-20T12:59:10","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=336"},"modified":"2026-03-20T12:59:10","modified_gmt":"2026-03-20T12:59:10","slug":"magento-polyshell-flaw-enables-unauthenticated-uploads-rce-and-account-takeover","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=336","title":{"rendered":"Magento PolyShell Flaw Enables Unauthenticated Uploads, RCE and Account Takeover"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Mar 20, 2026<\/span><\/span>Web Security \/ Vulnerability<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Sansec is warning of a critical security flaw in Magento’s REST API that could allow unauthenticated attackers to upload arbitrary executables and achieve code execution and account takeover.<\/p>\n

The vulnerability has been codenamed PolyShell<\/strong> by Sansec owing to the fact that the attack hinges on disguising malicious code as an image. There is no evidence that the shortcoming has been exploited in the wild. The unrestricted file upload flaw affects all Magento Open Source and Adobe Commerce versions up to 2.4.9-alpha2.<\/p>\n

The Dutch security firm said the problem stems from the fact that Magento’s REST API accepts file uploads as part of the custom options for the cart item.<\/p>\n

\u00abWhen a product option has type ‘file,’ Magento processes an embedded file_info object containing base64-encoded file data, a MIME type, and a filename,\u00bb it said<\/a>. \u00abThe file is written to pub\/media\/custom_options\/quote\/ on the server.\u00bb<\/p>\n

Depending on the web server configuration, the flaw can enable remote code execution via PHP upload or account takeover via stored XSS.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

Sansec also noted that Adobe fixed the issue in the 2.4.9 pre-release branch as part of APSB25-94<\/a>, but leaves current production versions without an isolated patch.<\/p>\n

\u00abWhile Adobe provides a sample web server configuration that would largely limit the fallout, the majority of stores use a custom configuration from their hosting provider,\u00bb it added.<\/p>\n

To mitigate any potential risk, e-commerce storefronts are advised to perform the following steps –<\/p>\n