Magento PolyShell mitigation guidance
Advisory/Mitigation
Summary
Hide ▲
Show ▼
Sansec issued mitigation guidance for Magento storefronts after identifying a critical REST API file-upload flaw that can enable remote code execution or account takeover. Operators are told to restrict the pub/media/custom_options/ upload path, verify nginx or Apache access rules, and look for web shells or backdoors. The guidance matters because blocking access alone does not stop uploads, and a specialized WAF may still be needed to limit abuse.
Related Happenings
Magento Open Source and Adobe Commerce PolyShell unauthenticated RCE flaw
Vulnerability
First: 19.03.2026 22:01
Last: 19.03.2026 22:01
Sources 1
How related:
Sansec is warning of a critical security flaw in Magento's REST API that could allow unauthenticated attackers to upload arbitrary executables and achieve code execution and account takeover.
About this happening:
**PolyShell** is a **Magento Open Source** and **Adobe Commerce** vulnerability that can enable **unauthenticated code execution** and **account takeover** across **stable version...
Magento Open Source and Adobe Commerce PolyShell unauthenticated RCE flaw
VulnerabilityHow related: Sansec is warning of a critical security flaw in Magento's REST API that could allow unauthenticated attackers to upload arbitrary executables and achieve code execution and account takeover.
About this happening: **PolyShell** is a **Magento Open Source** and **Adobe Commerce** vulnerability that can enable **unauthenticated code execution** and **account takeover** across **stable version...
Adobe PolyShell fix for Magento Open Source and Adobe Commerce
Security Patch Release
First: 19.03.2026 22:01
Last: 19.03.2026 22:01
Sources 1
How related:
Sansec also noted that Adobe fixed the issue in the 2.4.9 pre-release branch as part of APSB25-94, but leaves current production versions without an isolated patch.
About this happening:
Adobe released an **alpha** fix for **PolyShell**, but **production Magento Open Source and Adobe Commerce stable version 2** installations remain vulnerable. The update is only p...
Adobe PolyShell fix for Magento Open Source and Adobe Commerce
Security Patch ReleaseHow related: Sansec also noted that Adobe fixed the issue in the 2.4.9 pre-release branch as part of APSB25-94, but leaves current production versions without an isolated patch.
About this happening: Adobe released an **alpha** fix for **PolyShell**, but **production Magento Open Source and Adobe Commerce stable version 2** installations remain vulnerable. The update is only p...
Timeline
-
20.03.2026 11:30 2 articles · 2mo ago
Sansec issues Magento PolyShell mitigation guidance
Mitigation Patch UpdateSansec warned that the Magento REST API flaw dubbed PolyShell lets unauthenticated attackers upload arbitrary executables, with potential remote code execution or account takeover on Magento Open Source and Adobe Commerce versions up to 2.4.9-alpha2. Adobe said the issue was fixed in the 2.4.9 pre-release branch as APSB25-94, while production versions remained without an isolated patch, and storefront operators were advised to restrict access to pub/media/custom_options/, verify nginx or Apache rules, scan for web shells and backdoors, and use a specialized WAF.
Show sources
- Magento PolyShell Flaw Enables Unauthenticated Uploads, RCE and Account Takeover — thehackernews.com — 20.03.2026 11:30
- Magento PolyShell Flaw Enables Unauthenticated Uploads, RCE and Account Takeover — thehackernews.com — 20.03.2026 11:30