A newly disclosed vulnerability dubbed ‘PolyShell’ affects all Magento Open Source and Adobe Commerce stable version 2 installations, allowing unauthenticated code execution and account takeover.
There are no signs of the issue being actively exploited in the wild, but eCommerce security company Sansec warns that “the exploit method is circulating already” and expects automated attacks to start soon.
Adobe has released a fix, but it is only available in the second alpha release for version 2.4.9, leaving production versions vulnerable. Sansec says that Adobe offers a “sample web server configuration that would largely limit the fallout,” but most stores rely on a setup from their hosting provider.
In a report this week, Sansec says that the security problem is rooted in Magento’s REST API accepting file uploads as part of the custom options for the cart item.
“When a product option has type ‘file’, Magento processes an embedded file_info object containing base64-encoded file data, a MIME type, and a filename. The file is written to pub/media/custom_options/quote/ on the server,” the researchers explain.
Sansec says “PolyShell” is named after its use of a polyglot file that can behave as both an image and a script.
Depending on the web server configuration, the flaw can enable remote code execution (RCE) or account takeover via stored XSS, impacting most of the stores Sansec analyzed.
“Sansec investigated all known Magento and Adobe Commerce stores and found that many stores expose files in the upload directory.”
Until Adobe releases the patch to production versions, store administrators are recommended to take the following actions:
- Restrict access to pub/media/custom_options/
- Verify that nginx or Apache rules actually prevent access there
- Scan stores for uploaded shells, backdoors, or other malware
BleepingComputer has contacted Adobe to ask about when a security update for PolyShell will be made available, but we have not heard back as of publishing.
Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Related Articles:
WordPress plugin with 900k installs vulnerable to critical RCE flaw
ConnectWise patches new flaw allowing ScreenConnect hijacking
UK’s Companies House confirms security flaw exposed business data
Veeam warns of critical flaws exposing backup servers to RCE attacks
SQLi flaw in Elementor Ally plugin impacts 250k+ WordPress sites