Adobe PolyShell fix for Magento Open Source and Adobe Commerce
Security Patch Release
Summary
Hide ▲
Show ▼
Adobe released an alpha fix for PolyShell, but production Magento Open Source and Adobe Commerce stable version 2 installations remain vulnerable. The update is only present in the second alpha release of version 2.4.9, so there is no broadly available production patch yet. The flaw can enable unauthenticated code execution and account takeover through Magento's REST API file-upload handling. Until a production build lands, operators still need compensating controls around the upload path.
Related Happenings
Microsoft May 2026 Patch Tuesday (120 flaws)
Security Patch Release
First: 12.05.2026 21:08
Last: 12.05.2026 21:08
Sources 1
About this happening:
**Microsoft** released its **May 2026 Patch Tuesday** updates, fixing **120 flaws** and disclosing **no zero-days**. The bundle includes **17 Critical** vulnerabilities, with mult...
Microsoft May 2026 Patch Tuesday (120 flaws)
Security Patch ReleaseAbout this happening: **Microsoft** released its **May 2026 Patch Tuesday** updates, fixing **120 flaws** and disclosing **no zero-days**. The bundle includes **17 Critical** vulnerabilities, with mult...
Linux kernel security update for Copy Fail (CVE-2026-31431)
Security Patch Release
First: 30.04.2026 16:54
Last: 30.04.2026 16:54
Sources 1
About this happening:
**Linux kernel** maintainers have fixed **CVE-2026-31431** and are rolling out updates to close a **local privilege escalation** flaw that lets an unprivileged attacker gain **roo...
Linux kernel security update for Copy Fail (CVE-2026-31431)
Security Patch ReleaseAbout this happening: **Linux kernel** maintainers have fixed **CVE-2026-31431** and are rolling out updates to close a **local privilege escalation** flaw that lets an unprivileged attacker gain **roo...
Adobe security patch release for CVE-2026-34621
Security Patch Release
First: 12.04.2026 07:25
Last: 12.04.2026 07:25
Sources 1
About this happening:
**Adobe** issued **emergency updates** for **Acrobat Reader**, **Acrobat DC**, and **Acrobat 2024** after **CVE-2026-34621** was found **actively exploited in the wild**. The patc...
Adobe security patch release for CVE-2026-34621
Security Patch ReleaseAbout this happening: **Adobe** issued **emergency updates** for **Acrobat Reader**, **Acrobat DC**, and **Acrobat 2024** after **CVE-2026-34621** was found **actively exploited in the wild**. The patc...
Magento Open Source v2 and Adobe Commerce PolyShell mass exploitation
Exploitation Wave
First: 25.03.2026 23:40
Last: 25.03.2026 23:40
Sources 1
How related:
“Mass exploitation of PolyShell started on March 19th, and Sansec has now found PolyShell attacks on 56.7% of all vulnerable stores,”
About this happening:
**PolyShell** exploitation is now underway against **Magento Open Source v2** and **Adobe Commerce**, with attackers reaching **56.7%** of vulnerable stores. The surge began on **...
Magento Open Source v2 and Adobe Commerce PolyShell mass exploitation
Exploitation WaveHow related: “Mass exploitation of PolyShell started on March 19th, and Sansec has now found PolyShell attacks on 56.7% of all vulnerable stores,”
About this happening: **PolyShell** exploitation is now underway against **Magento Open Source v2** and **Adobe Commerce**, with attackers reaching **56.7%** of vulnerable stores. The surge began on **...
Latest development: 09.04.2026 01:34
Sansec reported a new campaign against nearly 100 Magento online stores in which attackers hide a credit card skimmer inside a 1x1-pixel SVG element with an onload handler, display a fake Secure Checkout overlay on checkout, validate submitted card data with Luhn, and exfiltrate payment details to attacker infrastructure; the researchers also identified six exfiltration domains hosted by IncogNet LLC (AS40663).
Magento PolyShell mitigation guidance
Advisory/Mitigation
First: 20.03.2026 11:30
Last: 20.03.2026 11:30
Sources 1
How related:
To mitigate any potential risk, e-commerce storefronts are advised to perform the following steps -
About this happening:
**Sansec** issued **mitigation guidance** for **Magento** storefronts after identifying a **critical REST API file-upload flaw** that can enable **remote code execution** or **acc...
Magento PolyShell mitigation guidance
Advisory/MitigationHow related: To mitigate any potential risk, e-commerce storefronts are advised to perform the following steps -
About this happening: **Sansec** issued **mitigation guidance** for **Magento** storefronts after identifying a **critical REST API file-upload flaw** that can enable **remote code execution** or **acc...
Timeline
-
19.03.2026 22:01 3 articles · 2mo ago
Adobe limits PolyShell fix to a 2.4.9 alpha release
Mitigation Patch UpdatePolyShell affects all Magento Open Source and Adobe Commerce stable version 2 installations, allowing unauthenticated code execution and account takeover through Magento's REST API file-upload handling for cart-item custom options, and Adobe's fix is only available in the second alpha release for version 2.4.9, leaving production versions vulnerable until a production patch arrives; administrators are advised to restrict access to pub/media/custom_options/, verify nginx or Apache access controls, and scan for uploaded shells, backdoors, or other malware.
Show sources
- New ‘PolyShell’ flaw allows unauthenticated RCE on Magento e-stores — www.bleepingcomputer.com — 19.03.2026 22:01
- Magento PolyShell Flaw Enables Unauthenticated Uploads, RCE and Account Takeover — thehackernews.com — 20.03.2026 11:30
- PolyShell attacks target 56% of all vulnerable Magento stores — www.bleepingcomputer.com — 25.03.2026 23:40