CVE-2026-53787 CRITICAL

CVE-2026-53787: Amasty Order Attributes for Magento 2 < 4.0.0 Unauthenticated Arbitrary File Upload

Vendor Amasty

Product Order Attributes for Magento 2

Weakness CWE-434 · Unrestricted file upload

Published June 12, 2026

Last update June 13, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

Description

Amasty Order Attributes for Magento 2 before version 4.0.0 contains an unauthenticated arbitrary file upload vulnerability that allows unauthenticated attackers to write arbitrary files to the store's media directory by submitting files of any type or name to the upload endpoint without authentication, session validation, or cart context. Attackers can upload PHP files to achieve remote code execution on servers where the media directory permits PHP execution, or alternatively enable malware hosting, stored cross-site scripting via HTML or SVG uploads, and path traversal to write files outside the intended upload directory.

Key dates

Disclosure timeline

June 12, 2026 CVE published

June 13, 2026 Record updated