Unauthenticated remote code execution flaw in Magento and Adobe Commerce via PolyShell polyglot uploads
Summary
Hide ▲
Show ▼
A critical unauthenticated remote code execution vulnerability named PolyShell has been disclosed in all supported versions of Magento Open Source and Adobe Commerce (version 2). The flaw stems from the REST API improperly processing file uploads in custom cart item options, enabling attackers to upload and execute polyglot files that act as both images and scripts. Depending on server configuration, this can result in remote code execution or account takeover via stored cross-site scripting. Adobe has released a fix only in the alpha release of version 2.4.9, leaving production deployments vulnerable. Exploitation attempts are expected to accelerate following public disclosure. Impact is high due to the widespread use of Magento/Adobe Commerce in e-commerce, the absence of authentication requirements, and the potential for mass compromise of storefronts.
Timeline
-
19.03.2026 22:01 1 articles · 2h ago
PolyShell vulnerability disclosed in Magento and Adobe Commerce leading to unauthenticated RCE and XSS
All supported versions of Magento Open Source and Adobe Commerce (version 2) are affected by an unauthenticated file upload flaw in the REST API custom options, enabling polyglot file execution. Adobe’s patch is currently available only in the alpha release of version 2.4.9, leaving production environments vulnerable. Attackers can upload malicious polyglot files to pub/media/custom_options/quote/ which, depending on web server configuration, may result in remote code execution or stored cross-site scripting. Public exploit methods are circulating, and widespread automated attacks are anticipated.
Show sources
- New ‘PolyShell’ flaw allows unauthenticated RCE on Magento e-stores — www.bleepingcomputer.com — 19.03.2026 22:01
Information Snippets
-
PolyShell affects all stable versions of Magento Open Source and Adobe Commerce (version 2) due to improper handling of file uploads in the REST API custom options for cart items.
First reported: 19.03.2026 22:011 source, 1 articleShow sources
- New ‘PolyShell’ flaw allows unauthenticated RCE on Magento e-stores — www.bleepingcomputer.com — 19.03.2026 22:01
-
The vulnerability allows unauthenticated attackers to upload polyglot files that function as both images and scripts, written to pub/media/custom_options/quote/ on the server.
First reported: 19.03.2026 22:011 source, 1 articleShow sources
- New ‘PolyShell’ flaw allows unauthenticated RCE on Magento e-stores — www.bleepingcomputer.com — 19.03.2026 22:01
-
Depending on web server configuration (e.g., Apache or nginx), exploitation can lead to remote code execution (RCE) or account takeover via stored cross-site scripting (XSS).
First reported: 19.03.2026 22:011 source, 1 articleShow sources
- New ‘PolyShell’ flaw allows unauthenticated RCE on Magento e-stores — www.bleepingcomputer.com — 19.03.2026 22:01
-
Adobe has released a patch only in the alpha release of version 2.4.9; production versions remain vulnerable.
First reported: 19.03.2026 22:011 source, 1 articleShow sources
- New ‘PolyShell’ flaw allows unauthenticated RCE on Magento e-stores — www.bleepingcomputer.com — 19.03.2026 22:01
-
Sansec reports that many Magento and Adobe Commerce stores expose files in the upload directory, enabling potential exploitation without additional restrictions.
First reported: 19.03.2026 22:011 source, 1 articleShow sources
- New ‘PolyShell’ flaw allows unauthenticated RCE on Magento e-stores — www.bleepingcomputer.com — 19.03.2026 22:01
-
Sansec and BleepingComputer note that exploit methods are already circulating, and automated attacks are expected to increase following public disclosure.
First reported: 19.03.2026 22:011 source, 1 articleShow sources
- New ‘PolyShell’ flaw allows unauthenticated RCE on Magento e-stores — www.bleepingcomputer.com — 19.03.2026 22:01