VYPR
← All advisories
Critical severity9.8NVD Advisory· Published Jun 12, 2026· Updated Jun 12, 2026

CVE-2026-53787

CVE-2026-53787

Description

Amasty Order Attributes for Magento 2 before 4.0.0 allows unauthenticated arbitrary file upload, leading to RCE, XSS, or malware hosting.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Amasty Order Attributes for Magento 2 before 4.0.0 allows unauthenticated arbitrary file upload, leading to RCE, XSS, or malware hosting.

Vulnerability

Amasty Order Attributes for Magento 2 versions before 4.0.0 contain an unauthenticated arbitrary file upload vulnerability [1][2][3]. The upload endpoint accepts files of any type and name without authentication, session validation, or cart context [2][3]. This allows attackers to write arbitrary files to the store's media directory [2][3]. The vulnerability is tracked as CVE-2026-53787 with a CVSS score of 9.8 (Critical) [2].

Exploitation

No authentication, session, or cart context is required to access the upload endpoint [2][3]. An attacker can send HTTP requests to the endpoint, submitting a file of any type or name, including PHP, HTML, SVG, or other malicious payloads [2][3]. The attack is trivial to automate across ordinary storefront traffic [2]. For path traversal, on version 3.16.0 the unsanitized filename allows writing outside the intended amasty_checkout folder; on versions prior to 2.4.2, it escapes the media directory entirely [2].

Impact

Successful exploitation can lead to: - Remote code execution (RCE) if the media directory permits PHP execution, allowing server compromise, backdoors, payment skimmers, admin account creation, and data theft [2][3]. - Malware hosting by storing .phar payloads, phishing kits, or other malware served from the store's domain [2]. - Stored cross-site scripting (XSS) via uploaded HTML or SVG files, leading to session theft or admin takeover when executed in a visitor's or administrator's browser [2][3]. - Path traversal to write files outside the intended upload directory [2][3].

Mitigation

Amasty released version 4.0.0 on June 12, 2026, which fixes the vulnerability by validating uploads before committing them, enforcing an extension allow-list, and requiring a real file attribute [2][3]. The fix is backward-incompatible because a new mandatory attribute_code parameter was added to the upload endpoint [2]. Stores using Sansec Shield are protected in real time even before patching [2]. No workaround is available for unpatched versions; upgrade to 4.0.0 is strongly recommended [2][3].

References
  1. Magento 2 Order Attributes | Magento 2 Add Custom Order Attribute Programmatically
  2. Unauthenticated file upload in Amasty Order Attributes for Magento
  3. Amasty Order Attributes for Magento 2 < 4.0.0 Unauthenticated Arbitrary File Upload

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

3

News mentions

0

No linked articles in our index yet.