Amasty Order Attributes for Magento 2 < 4.0.0 Unauthenticated Arbitrary File Upload
CVE-2026-53787

9.3CRITICAL

Key Information:

Vendor

Amasty

Status
Order Attributes For Magento 2
Vendor
CVE Published:
12 June 2026

What is CVE-2026-53787?

Amasty Order Attributes for Magento 2 before version 4.0.0 contains an unauthenticated arbitrary file upload vulnerability that allows unauthenticated attackers to write arbitrary files to the store's media directory by submitting files of any type or name to the upload endpoint without authentication, session validation, or cart context. Attackers can upload PHP files to achieve remote code execution on servers where the media directory permits PHP execution, or alternatively enable malware hosting, stored cross-site scripting via HTML or SVG uploads, and path traversal to write files outside the intended upload directory.

Affected Version(s)

Order Attributes for Magento 2 0

References

https://sansec.io/research/amasty-order-attributes-file-u...
technical-description
https://amasty.com/order-attributes-for-magento-2.html
productrelease-notes
https://www.vulncheck.com/advisories/amasty-order-attribu...
third-party-advisory

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Sansec
.