Critical severity9.8NVD Advisory· Published Jan 23, 2017· Updated May 13, 2026

CVE-2016-4010

Description

Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

magento.com/security/patches/magento-206-security-updatenvdPatchVendor Advisory
packetstormsecurity.com/files/137121/Magento-Unauthenticated-Arbitrary-File-Write.htmlnvdExploitThird Party AdvisoryVDB Entry
packetstormsecurity.com/files/137312/Magento-2.0.6-Unserialize-Remote-Code-Execution.htmlnvdExploitThird Party AdvisoryVDB Entry
netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-execution/nvdTechnical DescriptionThird Party Advisory
www.exploit-db.com/exploits/39838/nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.070
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000