New Magento Vulnerability Could Lead to Full Store Compromise
A serious security issue has been discovered in Magento’s REST API that could let attackers upload malicious files without authentication. If exploited, the flaw could allow hackers to execute code on the server or even take control of user accounts.
Security researchers at Sansec have named the vulnerability “PolyShell” because it hides harmful code inside files that appear to be harmless images.
How the Attack Works
The issue comes from how Magento handles file uploads linked to product options in the shopping cart.
When a product includes a file upload option, the system accepts data that includes:
- A base64-encoded file
- File type information
- A filename
This file is then stored on the server. The problem is that the system does not properly restrict what kind of files can be uploaded.
An attacker can take advantage of this by disguising malicious code as an image file and uploading it to the server.
What Hackers Can Do
Depending on how the server is set up, this flaw could lead to:
- Remote code execution through malicious PHP files
- Account takeover using stored cross-site scripting (XSS)
- Full system compromise if attackers gain deeper access
Even though there is no confirmed exploitation yet, the risk is considered high because the attack does not require authentication.
Who Is Affected
The vulnerability impacts:
- Magento Open Source
- Adobe Commerce
All versions up to 2.4.9-alpha2 are affected.
While Adobe has addressed the issue in a pre-release update, many live production systems do not yet have a direct patch available.
Why This Is Dangerous
Magento does provide recommended server configurations that can limit damage. However, most online stores rely on custom hosting setups, which may not include these protections.
This creates a gap where attackers can exploit weak configurations even if general guidance exists.
How to Protect Your Store
Security experts recommend taking immediate action to reduce risk:
- Block access to the upload directory (
pub/media/custom_options/) - Ensure web server rules (Apache or Nginx) prevent execution from that directory
- Scan your system for web shells, backdoors, and suspicious files
It’s important to note that blocking access alone does not stop malicious uploads. A properly configured Web Application Firewall (WAF) is strongly recommended.
Ongoing Attacks Target Magento Sites
This warning comes as researchers from Netcraft report a large-scale campaign affecting Magento websites worldwide.
Since late February 2026, attackers have:
- Compromised thousands of e-commerce sites
- Uploaded defacement files across public directories
- Impacted around 15,000 hostnames across 7,500 domains
Some of the affected infrastructure is linked to major global brands, including Asus, FedEx, Fiat, Lindt, Toyota, and Yamaha.
At this stage, it is unclear whether these attacks are connected to the PolyShell vulnerability or caused by separate weaknesses.
Final Take
Magento remains one of the most widely used e-commerce platforms, which makes it a prime target for attackers. Vulnerabilities like PolyShell highlight how a single weak point can expose entire online stores.
If you run a Magento site, now is the time to review your security setup, lock down file uploads, and monitor for unusual activity.
Staying proactive is the only way to stay ahead of threats like this.