Critical Security Flaw in Magento's REST API Allows Remote Code Execution

Sansec reported a critical security flaw in Magento's REST API that permits unauthenticated attackers to upload arbitrary executables, leading to remote code execution (RCE) and account takeover. The vulnerability, named PolyShell, exploits the ability to disguise malicious code as an image files. No evidence of active exploitation in the wild has been observed at the time of disclosure. The flaw specifically affects Magento’s REST API functionality, though no CVE ID or patch release date was provided. Technical details highlight the risk of unauthenticated access and full system compromise.