Magento Commerce Improper Neutralization of Special Elements Used In A Command
Description
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper Neutralization of Special Elements Used In A Command via the Data collection endpoint. An attacker with admin privileges can upload a specially crafted file to achieve remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Magento Commerce versions 2.4.2, 2.4.2-p1, and 2.3.7 and earlier are vulnerable to remote code execution via file upload in the data collection endpoint by an authenticated admin user.
Vulnerability
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier) are affected by an Improper Neutralization of Special Elements Used In A Command (command injection) in the Data collection endpoint. An attacker with admin privileges can upload a specially crafted file to trigger remote code execution [1].
Exploitation
An attacker must have admin-level access to the Magento backend. The attacker uploads a malicious file via the Data collection endpoint, which fails to properly sanitize input, allowing command injection.
Impact
Successful exploitation allows the attacker to execute arbitrary commands on the underlying server, leading to full remote code execution with the privileges of the web server user [1].
Mitigation
The available references do not specify a fix or workaround. Adobe typically releases security patches for such vulnerabilities; users should apply the latest Magento security updates.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | < 2.3.7-p1 | 2.3.7-p1 |
magento/community-editionPackagist | >= 2.4.2-p1, < 2.4.2-p2 | 2.4.2-p2 |
Affected products
4- Range: <=2.4.2, <=2.4.2-p1, <=2.3.7
- ghsa-coords2 versions
< 2.3.7-p1+ 1 more
- (no CPE)range: < 2.3.7-p1
- (no CPE)range: <= 2.0.2
- Adobe/Magento Commercev5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-qmq6-jpvg-j547ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-36024ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb21-64.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.