Magento Commerce Path Traversal In `theme[preview_image]` Parameter Could Lead To Remote Code Execution
Description
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a Path Traversal vulnerability via the theme[preview_image] parameter. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Path traversal in Magento Commerce via theme[preview_image] allows admin to achieve remote code execution.
Vulnerability
A path traversal vulnerability exists in Magento Commerce versions 2.4.2, 2.4.2-p1, and 2.3.7 (and earlier) through the theme[preview_image] parameter. An attacker with admin privileges can manipulate this parameter to traverse directories and upload malicious files, leading to remote code execution [1].
Exploitation
To exploit, an attacker must have admin privileges to access the parameter. By crafting a request with path traversal sequences (e.g., ../) in theme[preview_image], the attacker can write files outside the intended directory. Uploading a malicious PHP file enables arbitrary code execution on the server [1].
Impact
Successful exploitation allows remote code execution with the privileges of the web server user, potentially leading to full site compromise, data exfiltration, and further attacks [1].
Mitigation
Adobe released security updates fixing this vulnerability. Users should upgrade to Magento Commerce 2.4.3, 2.4.2-p2, or 2.4.1-p1 (or later versions). For Magento Open Source, apply the latest patches [2].
- NVD - CVE-2021-36031
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | < 2.3.7-p1 | 2.3.7-p1 |
magento/community-editionPackagist | >= 2.4.2-p1, < 2.4.2-p2 | 2.4.2-p2 |
Affected products
4- Range: <=2.4.2, <=2.4.2-p1, <=2.3.7
- ghsa-coords2 versions
< 2.3.7-p1+ 1 more
- (no CPE)range: < 2.3.7-p1
- (no CPE)range: <= 2.0.2
- Adobe/Magento Commercev5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-7w95-qwhh-q9p3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-36031ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb21-64.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.