How is CVE-2026-53787 exploited?

Network reachability (required): The vulnerable upload endpoint is exposed over the network, so an attacker must be able to reach the Magento 2 store via HTTP or HTTPS. Authentication (not-required): No account, session token, or cart context is required; the endpoint accepts file submissions from any unauthenticated request. Victim interaction (not-required): The attack is fully server-side; no user action or social engineering is needed to complete the exploit. Attack complexity (info): Exploitation is reliable and condition-free, with no race conditions or special environmental factors required to upload a file successfully.

What is the impact of CVE-2026-53787?

Attacker writes a PHP webshell to the media directory and executes arbitrary OS commands on the underlying server where PHP execution is permitted in that directory. Attacker uploads HTML or SVG files containing malicious scripts, which execute in the browsers of store visitors or administrators who load the uploaded content. Attacker uses path traversal in the filename to write files outside the intended media directory, potentially overwriting application files or configuration. Attacker hosts malware or phishing pages on the compromised store's domain by writing arbitrary content through the upload endpoint.

Back to search

CRITICALCVE-2026-53787Published 2026-06-12Modified 2026-06-13CNA VulnCheck

CVE-2026-53787: Amasty Order Attributes for Magento 2 < 4.0.0 Unauthenticated Arbitrary File Upload

Q: What is CVE-2026-53787?

This is an unauthenticated arbitrary file upload vulnerability in the Amasty Order Attributes extension for Magento 2, affecting all versions before 4.0.0. The upload endpoint is reachable over the network and requires no authentication, session token, or shopping cart context to exploit. Successful exploitation allows an attacker to write arbitrary files, including PHP scripts, to the server, enabling remote code execution, malware hosting, stored cross-site scripting via HTML or SVG payloads, and path traversal writes outside the intended media directory. A patched-image rebuild at version 4.0.0 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-53787 fixed?

A patched-image rebuild at version 4.0.0 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard is capable of triggering a rebuild, running a regression test suite, and opening a pull request against affected workloads without manual intervention.

Amasty Order Attributes for Magento 2 before version 4.0.0 contains an unauthenticated arbitrary file upload vulnerability that allows unauthenticated attackers to write arbitrary files to the store's media directory by submitting files of any type or name to the upload endpoint without authentication, session validation, or cart context. Attackers can upload PHP files to achieve remote code execution on servers where the media directory permits PHP execution, or alternatively enable malware hosting, stored cross-site scripting via HTML or SVG uploads, and path traversal to write files outside the intended upload directory.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: 4.0.0
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an unauthenticated arbitrary file upload vulnerability in the Amasty Order Attributes extension for Magento 2, affecting all versions before 4.0.0. The upload endpoint is reachable over the network and requires no authentication, session token, or shopping cart context to exploit. Successful exploitation allows an attacker to write arbitrary files, including PHP scripts, to the server, enabling remote code execution, malware hosting, stored cross-site scripting via HTML or SVG payloads, and path traversal writes outside the intended media directory. A patched-image rebuild at version 4.0.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-53787 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of ingestion from upstream feeds including VulnCheck. Coverage extends to custom Magento 2 images built internally that bundle the Amasty Order Attributes extension.

Available

Triage

HarborGuard is capable of scoring this CVE at its CVSS v4.0 rating of 9.3 (Critical) and weighting it against each environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox within each customer organization is available automatically based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at version 4.0.0 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard is capable of triggering a rebuild, running a regression test suite, and opening a pull request against affected workloads without manual intervention.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable upload endpoint is exposed over the network, so an attacker must be able to reach the Magento 2 store via HTTP or HTTPS.
AuthenticationNot required
No account, session token, or cart context is required; the endpoint accepts file submissions from any unauthenticated request.
Victim interactionNot required
The attack is fully server-side; no user action or social engineering is needed to complete the exploit.
Attack complexityDetail
Exploitation is reliable and condition-free, with no race conditions or special environmental factors required to upload a file successfully.

Blast Radius

Attacker writes a PHP webshell to the media directory and executes arbitrary OS commands on the underlying server where PHP execution is permitted in that directory.
Attacker uploads HTML or SVG files containing malicious scripts, which execute in the browsers of store visitors or administrators who load the uploaded content.
Attacker uses path traversal in the filename to write files outside the intended media directory, potentially overwriting application files or configuration.
Attacker hosts malware or phishing pages on the compromised store's domain by writing arbitrary content through the upload endpoint.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-53787 is active across all connected registries and pipelines, matching any image that bundles Amasty Order Attributes for Magento 2 below version 4.0.0. Given the Critical severity (CVSS v4.0 9.3) and zero-authentication attack surface, this CVE is prioritized for immediate remediation. For customers who opt into auto-remediation, HarborGuard is capable of rebuilding the affected image at the fixed version 4.0.0, running a regression test suite against the rebuilt image, and opening a pull request against affected workloads; the median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where auto-remediation is not permitted by compliance policy, HarborGuard surfaces the finding with full CVSS context and fix-version detail so engineering teams can act manually. As an interim compensating control, customers can apply network policy rules to restrict external access to the Magento media upload endpoint while the patched image is being prepared and validated.

See how HarborGuard automates this

Fix available

4.0.0

Affected packages

Amasty / Order Attributes for Magento 2
< 4.0.0 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available