SANSEC warns of a critical Magento vulnerability, codenamed PolyShell, that affects all Magento Open Source and Adobe Commerce versions up to 2.4.9-alpha2 and could allow unauthenticated attackers to upload arbitrary executables, enabling remote code execution or account takeover. The flaw arises because the REST API accepts file uploads as part of the cart item’s custom options, with the embedded file data written to pub/media/custom_options/quote/ on the server.
Depending on server configuration, this could allow PHP upload-based RCE or stored XSS leading to an account takeover, and Adobe has fixed the issue in the 2.4.9 pre-release branch as APSB25-94, though production versions remain without an isolated patch. To mitigate risk, sites are advised to restrict access to the upload directory and verify web server rules, and to scan for web shells and other malware.
Separately, Netcraft flags a campaign beginning on 27 February 2026 that saw ~15,000 hostnames across 7,500 domains defaced, with a single threat actor involved and infrastructure linked to brands including Asus, FedEx, Fiat, Lindt, Toyota and Yamaha.