Unauthenticated Remote Code Execution and Account Takeover via Magento PolyShell File Upload Flaw
Summary
Hide ▲
Show ▼
A critical unrestricted file upload vulnerability in Magento’s REST API, dubbed PolyShell by Sansec, enables unauthenticated attackers to upload arbitrary executable files disguised as images and achieve remote code execution (RCE) or account takeover via stored cross-site scripting (XSS). The flaw impacts all Magento Open Source and Adobe Commerce versions up to 2.4.9-alpha2 by leveraging the custom cart item option handling in the REST API, which writes uploaded files to the server’s `pub/media/custom_options/quote/` directory. Depending on web server configuration, this can lead to RCE through PHP execution or stored XSS via malicious payloads in file metadata. No evidence of active exploitation has been observed.
Timeline
-
20.03.2026 11:30 1 articles · 5h ago
Magento PolyShell Unrestricted File Upload Flaw Disclosed; RCE and Account Takeover Risk Identified
A critical unrestricted file upload vulnerability in Magento’s REST API (PolyShell) permits unauthenticated file uploads to the server’s `pub/media/custom_options/quote/` directory. The flaw enables remote code execution via PHP execution or account takeover via stored XSS, depending on web server settings. Adobe patched the issue in 2.4.9 pre-release builds (APSB25-94), but production versions remain exposed due to reliance on hosting provider configurations.
Show sources
- Magento PolyShell Flaw Enables Unauthenticated Uploads, RCE and Account Takeover — thehackernews.com — 20.03.2026 11:30
Information Snippets
-
The vulnerability (PolyShell) arises from the Magento REST API accepting file uploads via custom cart item options without proper validation or authentication.
First reported: 20.03.2026 11:301 source, 1 articleShow sources
- Magento PolyShell Flaw Enables Unauthenticated Uploads, RCE and Account Takeover — thehackernews.com — 20.03.2026 11:30
-
Uploaded files are stored in the server’s `pub/media/custom_options/quote/` directory, enabling potential RCE if PHP execution is permitted or stored XSS if file metadata is rendered unsafely.
First reported: 20.03.2026 11:301 source, 1 articleShow sources
- Magento PolyShell Flaw Enables Unauthenticated Uploads, RCE and Account Takeover — thehackernews.com — 20.03.2026 11:30
-
The flaw affects all Magento Open Source and Adobe Commerce versions up to and including 2.4.9-alpha2.
First reported: 20.03.2026 11:301 source, 1 articleShow sources
- Magento PolyShell Flaw Enables Unauthenticated Uploads, RCE and Account Takeover — thehackernews.com — 20.03.2026 11:30
-
Adobe addressed the issue in the 2.4.9 pre-release branch under APSB25-94, but production versions remain unpatched unless upgraded.
First reported: 20.03.2026 11:301 source, 1 articleShow sources
- Magento PolyShell Flaw Enables Unauthenticated Uploads, RCE and Account Takeover — thehackernews.com — 20.03.2026 11:30
-
Adobe provides a sample web server configuration to mitigate impact, but most deployments rely on hosting provider defaults, increasing exposure.
First reported: 20.03.2026 11:301 source, 1 articleShow sources
- Magento PolyShell Flaw Enables Unauthenticated Uploads, RCE and Account Takeover — thehackernews.com — 20.03.2026 11:30
-
Sansec has not observed active exploitation of PolyShell in the wild as of the advisory date.
First reported: 20.03.2026 11:301 source, 1 articleShow sources
- Magento PolyShell Flaw Enables Unauthenticated Uploads, RCE and Account Takeover — thehackernews.com — 20.03.2026 11:30