New ‘PolyShell’ flaw allows unauthenticated RCE on Magento e-stores A newly disclosed vulnerability called "PolyShell" affects all Magento Open Source and Adobe Commerce 2 installations, allowing unauthenticated attackers to upload polyglot files that can enable remote code execution or stored XSS leading to account takeover. Adobe's fix is currently only available in the 2.4.9 second alpha while Sansec warns the exploit method is already circulating and urges immediate mitigations like restricting access to pub/media/custom_options and scanning for shells. #PolyShell #Magento

The new PolyShell flaw in Magento Open Source and Adobe Commerce 2 allows unauthenticated RCE via polyglot file uploads through the REST API, risking stored XSS and account takeover. Patch in 2.4.9 alpha. #PolyShell #MagentoSecurity #Netherlands