Critical

Unauthenticated Arbitrary File Upload in Amasty Order Attributes for Magento 2

IdentifiersCVE-2026-53787CWE-434· Unrestricted Upload of File with…

CVE-2026-53787 affects Amasty Order Attributes for Magento 2 before version 4.0.0. The vulnerability is an unauthenticated arbitrary file upload flaw in the product's upload endpoint. The endpoint accepts files of any type or name and does not enforce authentication, session validation, or cart context, allowing remote attackers to write arbitrary files into the store's media directory. The available reporting further indicates that the flaw may also permit path traversal, enabling writes outside the intended upload directory. Where the Magento media directory or a reachable written path permits PHP execution, an attacker can upload a PHP payload and achieve remote code execution. Even without PHP execution, the flaw can be abused to host malicious content or to plant HTML/SVG content for stored cross-site scripting.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthenticated remote attackers to write arbitrary files to the target Magento instance. In environments where the media directory permits execution of uploaded PHP, this can result in full remote code execution in the web server context, with corresponding compromise of confidentiality, integrity, and availability. In environments that do not execute PHP from the media directory, attackers may still use the vulnerability for malware hosting, defacement, stored XSS via HTML or SVG uploads, and potentially writing files outside the intended directory if path traversal is feasible.

Mitigation

If you can’t patch tonight, do this now.

Until the fixed version is deployed, restrict or disable access to the vulnerable upload endpoint where possible, especially from untrusted networks. Enforce web-server rules that prevent execution of PHP and other active content from the media directory and other writable paths. Add compensating controls such as WAF rules for the affected endpoint, strict server-side validation of uploaded file types and filenames, and monitoring for unexpected files in media and adjacent writable directories. Hunt for previously uploaded PHP, HTML, SVG, or other suspicious files and review logs for unauthenticated access to the upload functionality.

Remediation

Patch, then assume compromise.

Upgrade Amasty Order Attributes for Magento 2 to version 4.0.0 or later. In addition, review the deployment to ensure the media directory and any upload-accessible paths do not allow execution of PHP or other server-side active content. Validate that the vendor fix is fully deployed across all nodes and clear caches as appropriate for Magento deployments.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

AmastyOrder Attributes For Magento 2application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cvefeed high severityNews

Jun 12, 2026

CVE-2026-53787 - Amasty Order Attributes for Magento 2 < 4.0.0 Unauthenticated Arbitrary File Upload

An unauthenticated arbitrary file upload vulnerability in Amasty Order Attributes for Magento 2 before version 4.0.0 that can allow arbitrary file writes and potentially remote code execution if uploaded PHP files can execute in the media directory.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-53787

NVD

nvd.nist.gov/vuln/detail/CVE-2026-53787

MITRE CWE · CWE-434

Unrestricted Upload of File with Dangerous Type

amasty.com

amasty.com/order-attributes-for-magento-2.html

sansec.io

sansec.io/research/amasty-order-attributes-file-upload

vulncheck.com

vulncheck.com/advisories/amasty-order-attributes-for-magento-2-unauthenticated-arbitrary-file-upload