HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Critical Magento REST API ‘PolyShell’ Flaw Enables Unauthenticated RCE and Account Takeover

Sansec has identified a zero‑day vulnerability in Magento’s REST API that allows unauthenticated attackers to upload malicious files, execute code, and hijack admin accounts, putting e‑commerce sites and their customer data at risk.

LiveThreat™ Intelligence · 📅 March 21, 2026· 📰 thehackernews.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
thehackernews.com

Critical Magento REST API “PolyShell” Flaw Enables Unauthenticated RCE and Account Takeover

What Happened — Security firm Sansec disclosed a critical vulnerability in Magento’s REST API (codenamed PolyShell) that lets an unauthenticated attacker upload a malicious file disguised as an image, achieve remote code execution, and hijack admin accounts. The flaw affects all Magento installations that expose the vulnerable endpoint. No public exploitation has been observed to date.

Why It Matters for TPRM

  • Attack surface is the public API; any third‑party integration that relies on Magento becomes a potential entry point.
  • Successful exploitation grants full control of the e‑commerce environment, exposing customer PII, payment data, and intellectual property.
  • Vendors may be unable to patch quickly, creating a supply‑chain risk for downstream merchants.

Who Is Affected — Retail & e‑commerce platforms, online marketplaces, and any organization that uses Magento as its storefront or as a backend for third‑party services.

Recommended Actions

  • Verify whether your organization or any downstream partner runs Magento and confirm the version.
  • Apply the vendor‑released patch (or mitigate by disabling the vulnerable REST endpoint) immediately.
  • Conduct a focused code‑review of custom extensions that interact with the REST API.
  • Update third‑party risk questionnaires to include this specific API exposure.

Technical Notes — The exploit relies on disguising a malicious binary as an image file, bypassing input validation in the REST upload endpoint. No CVE identifier has been assigned yet; the vulnerability is classified as a zero‑day remote code execution (RCE) and account takeover risk. Data at risk includes admin credentials, customer personal data, and transaction records. Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/03/magento-polyshell-flaw-enables.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →