- Description
- Amasty Order Attributes for Magento 2 before version 4.0.0 contains an unauthenticated arbitrary file upload vulnerability that allows unauthenticated attackers to write arbitrary files to the store's media directory by submitting files of any type or name to the upload endpoint without authentication, session validation, or cart context. Attackers can upload PHP files to achieve remote code execution on servers where the media directory permits PHP execution, or alternatively enable malware hosting, stored cross-site scripting via HTML or SVG uploads, and path traversal to write files outside the intended upload directory.
- Source
- disclosure@vulncheck.com
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 9.3
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- disclosure@vulncheck.com
- CWE-434
- Hype score
- Not currently trending
๐จ CRITICAL: CVE-2026-53787 (CVSS 9.8) Amasty Order Attributes for Magento 2 <4.0.0 allows unauthenticated arbitrary file upload โ RCE. Attackers can upload PHP files without authentication. Patch immediately! #CVE #PatchNow #ThreatIntel https://t.co/f7pwAJY5gR
@DFIR_Lab
13 Jun 2026
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
๐จ CVE-2026-53787 โ CVSS 9.8/10 โโโโโโโโโโ Amasty Order Attributes for Magento 2 before version 4.0.0 contains an unauthenticated arbitrary file upload... Severity: CRITICAL Patch now. #cybersecurity #CVE https://t.co/i2tepu4bm6
@OrizonCyber
12 Jun 2026
37 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes