164/69 Monday, March 23, 2026
Cybersecurity firm Sansec has disclosed a vulnerability in the REST API of Magento and Adobe Commerce that allows attackers to upload malicious files to affected systems without authentication. The flaw, dubbed PolyShell, impacts versions from the earliest releases up to 2.4.9-alpha2. In older versions (below 2.3.5), the issue may also enable Cross-Site Scripting (XSS) attacks. As a result, a large number of online stores are at risk of system compromise or user account theft.
The vulnerability stems from the REST API file upload mechanism, which allows files to be attached in base64 format via cart item options and stored on the server without sufficient validation. Attackers can exploit this by using polyglot techniques-files disguised as images but embedded with malicious code—to evade detection. In cases where the server is misconfigured, this could lead to Remote Code Execution (RCE) or XSS attacks. Even if immediate code execution is not possible, the malicious files may remain on the system and be leveraged later if system configurations change.
Although Adobe has addressed the issue in the pre-release version (2.4.9), no official patches have been released for stable versions currently in production. Organizations are therefore advised to implement additional mitigation measures, such as deploying a Web Application Firewall (WAF), restricting access to upload directories, and conducting thorough system monitoring for signs of compromise. While no widespread exploitation has been observed yet, proof-of-concept (PoC) exploit code has already been released, increasing the likelihood of automated attacks in the near future. Notably, previous reports of attacks affecting over 7,500 Magento websites highlight that e-commerce platforms remain a prime target for cyber threat actors.