New ‘PolyShell’ flaw allows unauthenticated RCE on Magento e-stores
Recorded: March 20, 2026, midnight
| Original | Summarized |
New ‘PolyShell’ flaw allows unauthenticated RCE on Magento e-stores News Featured ConnectWise patches new flaw allowing ScreenConnect hijacking New DarkSword iOS exploit used in infostealer attack on iPhones Apple pushes first Background Security Improvements update to fix WebKit flaw GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX Navia discloses data breach impacting 2.7 million people New ‘PolyShell’ flaw allows unauthenticated RCE on Magento e-stores Get Luminar Neo lifetime access and a full bundle for just $79.99 Bitrefill blames North Korean Lazarus group for cyberattack Tutorials Latest How to access the Dark Web using the Tor Browser How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to use the Windows Registry Editor How to backup and restore the Windows Registry How to start Windows in Safe Mode How to remove a Trojan, Virus, Worm, or other Malware How to show hidden files in Windows 7 How to see hidden files in Windows Webinars Latest Qualys BrowserCheck STOPDecrypter AuroraDecrypter FilesLockerDecrypter AdwCleaner ComboFix RKill Junkware Removal Tool Deals Categories eLearning IT Certification Courses Gear + Gadgets Security VPNs Popular Best VPNs How to change IP address Access the dark web safely Best VPN for YouTube Forums Virus Removal Guides HomeNewsSecurityNew ‘PolyShell’ flaw allows unauthenticated RCE on Magento e-stores New ‘PolyShell’ flaw allows unauthenticated RCE on Magento e-stores By Bill Toulas March 19, 2026 A newly disclosed vulnerability dubbed 'PolyShell' affects all Magento Open Source and Adobe Commerce stable version 2 installations, allowing unauthenticated code execution and account takeover. Red Report 2026: Why Ransomware Encryption Dropped 38% Related Articles: Adobe Commerce Bill Toulas Previous Article Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now You may also like: Popular Stories Stryker attack wiped tens of thousands of devices, no malware needed Microsoft Exchange Online outage blocks access to mailboxes GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX Sponsor Posts Cut VMware migration time by 60% with Acronis—move workloads faster, with less downtime. Uncover shadow AI apps, users, and risky data sharing. Get started in 5 min. Overdue a password health-check? Audit your Active Directory for free Secure your AI agents without sacrificing speed. Are refund fraud methods targeting your brand? You can monitor the underground for these threats. Follow us: Main Sections News Community Forums Useful Resources Welcome Guide Company About BleepingComputer Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... |
A newly identified vulnerability, termed “PolyShell,” poses a significant risk to Magento e-commerce stores, specifically versions 2.4.9 and earlier. The issue allows for unauthenticated remote code execution (RCE) and potential account takeover, a critical security concern for businesses utilizing the Magento platform. Sansec, a cybersecurity firm, flagged the issue, noting that an exploit method is already circulating and likely to trigger automated attacks. While Adobe has released a patch for the second alpha release of version 2.4.9, this leaves production environments exposed until the update is broadly deployed. The root cause of the vulnerability lies within Magento’s REST API and its handling of custom options for cart items. Specifically, the API accepts file uploads, which are then processed as ‘file’ type product options. This triggers the creation of a file_info object containing base64-encoded file data, a MIME type, and the filename, ultimately writing these files to the ‘pub/media/custom_options/quote’ directory on the server. Sansec researchers named the exploit “PolyShell” due to its utilization of a polyglot file capable of functioning as both an image and a script, adding to its deceptive nature. The impact of the PolyShell flaw is substantial, potentially enabling RCE or account takeover via stored cross-site scripting (XSS) depending on the web server configuration. Sansec’s investigation revealed that many Magento stores expose files within this upload directory, amplifying the potential damage. The firm recommends immediate action for Magento store administrators until a comprehensive patch is available. These actions include restricting access to the ‘pub/media/custom_options/’ directory, verifying that Nginx or Apache rules effectively block access there, and scanning stores for malicious files such as shells, backdoors, or other malware. As of the report’s publication, Adobe has not yet responded to repeated requests for information regarding the timeline for releasing a security update for PolyShell to production environments. The potential for continued vulnerability underscores the urgency of implementing the recommended security measures. This situation highlights the ongoing importance of rigorous security practices within Magento deployments and the need for proactive monitoring and response to rapidly emerging threats. |