Amasty Order Attributes for Magento 2 Unauthenticated Arbitrary File Upload (CVE-2026-53787)

critical-cve-against-dependency · active

Amasty Order Attributes for Magento 2 before version 4.0.0 has an unauthenticated arbitrary file upload flaw that lets attackers write any file to the store's media directory. This can lead to remote code execution (e.g. uploading PHP files), malware hosting, stored XSS, and path traversal.

Affected packages

• packagistamasty/order-attributes-for-magento-2upgrade to ≥ 4.0.0

Sources

• ghsahttps://github.com/advisories/GHSA-mgg8-gq8g-gq88
• nvdhttps://nvd.nist.gov/vuln/detail/CVE-2026-53787
• google-searchhttps://amasty.com/order-attributes-for-magento-2.html
• google-searchhttps://sansec.io/research/amasty-order-attributes-file-upload
• google-searchhttps://www.vulncheck.com/advisories/amasty-order-attributes-for-magento-2-unauthenticated-arbitrary-file-upload