A critical security vulnerability dubbed "PolyShell" has been disclosed in Magento and Adobe Commerce, putting thousands of online stores at risk. This flaw lets attackers upload malicious files disguised as images, potentially taking over entire sites within minutes. Just 25 minutes after Sansec's alert on March 17, 2026, On Tap activated immediate protective measures, keeping all our Magento clients 100% safe.
What is the Magento PolyShell vulnerability?
PolyShell is a critical unrestricted file upload vulnerability in Magento and Adobe Commerce, discovered by Sansec on March 17, 2026. It exploits weaknesses in REST API media gallery endpoints, specifically the "custom options" feature, where file type validation fails entirely, affecting all Magento 2 versions up to 2.4.8-p4 (and early 2.4.9 builds).
Imagine your store's product photo uploader as an unlocked door; hackers slip in dangerous files disguised as innocent images like photo.jpg. These files secretly contain harmful programs (shell.php) and land in accessible folders like /pub/media/custom_options/.
How does PolyShell affect Magento merchants?
If your server isn't set up tightly, that hidden program runs like a backdoor key, giving hackers remote control of your site (called "remote code execution" or RCE). Even without full access, these bad files can steal customer data or damage your store.
These malicious files can:
-
Data theft and breaches: Hackers steal customer details, credit cards, and store secrets.
-
Site defacement and malware: Your homepage gets replaced with scams, viruses, or money-making schemes.
-
Blacklisting and downtime: Search engines and payment processors block you, with fixes taking 72+ hours on average.
-
Shared hosting spread: One hacked store infects others on the same server.
-
Financial hits: Cleanup plus lost sales and trust.
On Tap's immediate response
Adobe fixed PolyShell in a pre-release version (2.4.9-alpha3+), but has not backported the patch to stable releases. On Tap won't wait for official patches across all versions; we take immediate steps ahead.
Just a few minutes after Sansec's March 17 alert (faster than most attacks), we did the following for our clients:
-
Introduced Web Application Firewall rules to immediately block the ability to exploit any uploaded files
-
Hardened load balancer and web server configurations as a second line of defence
-
Scanned clients’ sites using Sansec ecomscan
However, we were already confident that no client had been compromised, because our AuditIQ solution has built-in File Integrity Monitoring, and this would have alerted us in real time to malicious files being created - no alerts had been generated.
The result: Zero PolyShell traces found. All On Tap Magento clients remain secure.
This lightning-fast response proves our commitment: rapid detection, immediate action, unbreakable defences.
Stay proactive across all platforms
Vulnerabilities strike any platform, anytime, with serious consequences. Whether you're running Magento/Adobe Commerce, Shopify, WooCommerce, or custom integrations, hackers never sleep. Zero-day exploits, API flaws, and supply chain attacks can cripple your store overnight, stealing customer data, triggering blacklists, and costing thousands in recovery.
At On Tap, your store's security is our top priority. We treat your store like our own. We stay proactive across all eCommerce platforms and integrations, reacting instantly to protect your business. Our 24/7 security team uses cutting-edge monitoring to stay ahead of threats, no matter your tech stack.
We've protected hundreds of merchants from downtime and breaches through:
-
Proactive site monitoring
-
Secure cloud hosting setups
-
Tailored security audits
Don't settle for one-off development or waiting on patches. Partner with On Tap for proactive vulnerability monitoring, custom security roadmaps, and complete eCommerce peace of mind. Your store deserves a trusted ally who acts first and keeps it unbreakable.
Also check out AuditIQ the premier monitoring solution for Magento and Adobe Commerce merchants. Security is just one of the areas that it has you covered - for example, it alerts you within seconds if there are unauthorised changes to your site code. It also directly integrates with Sansec for enhanced security alerts.


