## What happened

A newly disclosed vulnerability dubbed **PolyShell** impacts **Magento Open Source** and **Adobe Commerce** stable v2 installations.

According to Sansec (via BleepingComputer), the issue can lead to:

- **Unauthenticated remote code execution (RCE)** in some configurations, or

- **Stored XSS leading to account takeover** in others

Sansec says exploit details are circulating and expects automation to follow.

## Root cause (high level)

The weakness is tied to Magento’s **REST API** handling of cart item “custom options” that accept **file uploads**.

When an option has type `file`, the API processes an embedded `file_info` object containing:

- base64-encoded file bytes

- a MIME type

- a filename

The uploaded content is written under `pub/media/custom_options/quote/`.

The “PolyShell” name references the use of **polyglot files** that can be treated both as an image and as executable/script content, depending on web server behavior.

## Patch status and risk

Adobe reportedly fixed the issue, but the fix was (at the time of reporting) only available in an **alpha** release, leaving production versions exposed.

This creates a familiar risk window for internet-facing commerce sites: even if exploitation isn’t widespread yet, opportunistic scanning often follows public disclosure.

## Mitigations to apply now

Until a production patch is available, administrators should:

- Restrict access to `pub/media/custom_options/`

- Verify **nginx/Apache** rules actually prevent access in that directory

- Hunt for suspicious uploads (web shells/backdoors) in upload paths

## Bottom line

For web teams running Magento/Adobe Commerce, PolyShell is a reminder that **file-upload surfaces** (including those exposed via APIs) can become high-impact RCE paths. Tight web-server rules and fast operational response matter as much as application patches.