PolyShell Vulnerability Allows Unauthenticated RCE on Magento E-Stores

What happened

A newly disclosed vulnerability dubbed PolyShell affects stable Magento Open Source and Adobe Commerce version 2 installations and can allow unauthenticated remote code execution or account takeover, depending on server configuration. Researchers at Sansec said the flaw stems from Magento’s REST API accepting file uploads through custom cart item options, which lets attackers upload a polyglot file that can behave as both an image and a script. The uploaded file is written to the pub/media/custom_options/quote/ directory, where it may be executed or used in stored cross-site scripting attacks if web server protections are not properly enforced. Adobe has released a fix only in the second alpha for version 2.4.9, leaving production versions exposed for now, while Sansec warned that the exploit method is already circulating and automated attacks are expected soon. 

Who is affected

Organizations running stable Magento Open Source or Adobe Commerce version 2 stores are affected, particularly those whose web server configurations expose uploaded files in the custom options directory. 

Why CISOs should care

The flaw affects widely used e-commerce platforms and can expose online stores to unauthenticated code execution or account takeover, creating risk for both platform integrity and customer-facing operations. 

3 practical actions

1. Restrict access to the custom options upload directory. Limit access to pub/media/custom_options/ until a production patch is available. 
2. Verify web server protections are working. Check that nginx or Apache rules actually block access to uploaded files in that path. 
3. Scan stores for malicious uploads. Look for uploaded shells, backdoors, or other malware in affected Magento environments. 

The risk is underscored by recent large-scale attacks that have already compromised thousands of Magento websites through similar exploitation techniques.