External risk intelligence

Amasty Order Attributes Unauthenticated File Upload Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-53787

An unauthenticated arbitrary file upload vulnerability exists in Amasty Order Attributes for Magento 2, allowing attackers to place any file type on the server. This could lead to remote code execution if the media directory allows PHP execution, or enable malware hosting and cross-site scripting.

5Halo Surface Signal

Unrestricted File Upload

External exposure likelihood

Halo Surface Signal score for CVE-2026-53787

This vulnerability affects a Magento 2 extension, which is a component of an internet-facing e-commerce web application. The exploit targets an unauthenticated file upload endpoint that is reachable by any user interacting with the public store, making the vulnerable surface public-facing by design in normal deployment.

PCI scan relevance

PCI Relevance for CVE-2026-53787

Yes

CVE-2026-53787 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows unauthenticated arbitrary file uploads, potentially leading to remote code execution. Due to its critical severity and unauthenticated nature, it is considered a PCI risk.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in an e-commerce platform extension that allows unauthenticated attackers to upload arbitrary files. This could lead to remote code execution, malware hosting, or other security breaches on affected systems, impacting the integrity and availability of online stores.

Unauthenticated file uploads can compromise e-commerce sites.
It enables remote code execution and other serious attacks.
Confirm relevance and assess exposure to this threat.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can upload arbitrary files, including malicious scripts, to a Magento 2 store's media directory. This is possible because the Amasty Order Attributes extension does not properly validate file uploads through its endpoint. Successful exploitation could lead to remote code execution, malware hosting, or cross-site scripting.

No authentication or special access required.
Upload arbitrary files to the media directory.
Remote code execution or malware hosting.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to upload arbitrary files to a Magento 2 store's media directory. If the server permits PHP execution in this directory, it could lead to remote code execution. Alternatively, attackers could host malware, conduct cross-site scripting attacks, or potentially write files outside the intended directory.

Arbitrary files in the media directory.
Unauthenticated file upload to the endpoint.
Remote code execution or malware hosting.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in the Amasty Order Attributes extension for Magento 2 requires immediate attention from teams responsible for e-commerce platforms and their associated codebases. The initial step is to identify all Magento 2 instances using this extension, confirm their exposure to the internet, and ascertain their business criticality. Once identified, the accountable owner should be contacted to plan and execute remediation, potentially involving coordination with the vendor or implementing compensating controls if immediate patching is not feasible.

Identify affected systems and accountable owners.
Verify external reachability and business criticality.
Plan remediation with vendor or implement controls.

Frequently asked questions

What is Amasty Order Attributes for Magento 2?

It is a functional extension designed for the Magento 2 e-commerce platform. Merchants use this plugin to add custom fields to checkout pages, allowing them to collect specific information from customers during the ordering process. It integrates directly into the store's data collection flow, which means it processes incoming web requests to handle attribute data.

How does CVE-2026-53787 work?

This vulnerability is an Unrestricted Upload of File with Dangerous Type (CWE-434). The extension fails to properly validate files sent to its upload endpoint. Because it lacks authentication and session checks, an attacker can submit malicious files of any type. If the server is configured to run scripts from the media directory, this allows the attacker to execute arbitrary code on the underlying server.

Do I need to be logged in to trigger this bug?

No. The vulnerability does not require any authentication, session validation, or existing cart context to be triggered. An attacker can access the upload endpoint directly as an unauthenticated user. Simply having the affected version of the extension installed and active on the platform is sufficient for the endpoint to be reachable.

Why is this considered a public-facing risk?

According to Halo Surface Signal, this vulnerability is very likely to be reachable because it resides in an extension for Magento 2, which is inherently an internet-facing e-commerce application. Since the vulnerable upload endpoint is exposed to public web traffic as part of normal store operations, any remote attacker can interact with it without needing internal network access.

How should I respond to this threat?

Begin by inventorying all Magento 2 instances to confirm which ones are running the Amasty Order Attributes extension. Once you identify affected systems, assess their business criticality and verify their connection to the internet. Coordinate with the relevant system owners to prioritize remediation, which may involve applying vendor updates or implementing temporary compensating controls to block access to the vulnerable endpoint.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.