A newly disclosed vulnerability dubbed ‘PolyShell’ impacts all Magento Open Supply and Adobe Commerce secure model 2 installations, permitting unauthenticated code execution and account takeover.
There are not any indicators of the difficulty being actively exploited within the wild, however eCommerce security firm Sansec warns that “the exploit methodology is circulating already” and expects automated assaults to begin quickly.
Adobe has launched a repair, however it is just out there within the second alpha launch for model 2.4.9, leaving manufacturing variations susceptible. Sansec says that Adobe affords a “pattern net server configuration that may largely restrict the fallout,” however most shops depend on a setup from their internet hosting supplier.
In a report this week, Sansec says that the security downside is rooted in Magento’s REST API accepting file uploads as a part of the customized choices for the cart merchandise.
“When a product choice has kind ‘file’, Magento processes an embedded file_info object containing base64-encoded file knowledge, a MIME kind, and a filename. The file is written to pub/media/custom_options/quote/ on the server,” the researchers clarify.
Sansec says “PolyShell” is called after its use of a polyglot file that may behave as each a picture and a script.
Relying on the net server configuration, the flaw can allow distant code execution (RCE) or account takeover by way of saved XSS, impacting many of the shops Sansec analyzed.
“Sansec investigated all identified Magento and Adobe Commerce shops and located that many shops expose information within the add listing.”
Till Adobe releases the patch to manufacturing variations, retailer directors are advisable to take the next actions:
- Limit entry to pub/media/custom_options/
- Confirm that nginx or Apache guidelines truly forestall entry there
- Scan shops for uploaded shells, backdoors, or different malware
BleepingComputer has contacted Adobe to ask about when a security replace for PolyShell will likely be made out there, however now we have not heard again as of publishing.
Malware is getting smarter. The Purple Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your security stack is blinded.
