CVE-2026-53787

CRITICAL 9.8

Amasty Order Attributes for Magento 2 < 4.0.0 Unauthenticated Arbitrary File Upload

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

Amasty Order Attributes for Magento 2 before version 4.0.0 contains an unauthenticated arbitrary file upload vulnerability that allows unauthenticated attackers to write arbitrary files to the store's media directory by submitting files of any type or name to the upload endpoint without authentication, session validation, or cart context. Attackers can upload PHP files to achieve remote code execution on servers where the media directory permits PHP execution, or alternatively enable malware hosting, stored cross-site scripting via HTML or SVG uploads, and path traversal to write files outside the intended upload directory.

CWE	CWE-434
Vendor	amasty
Product	order attributes for magento 2
Published	Jun 12, 2026

Stay Ahead of the Next One

Get instant alerts for amasty order attributes for magento 2

Be the first to know when new critical vulnerabilities affecting amasty order attributes for magento 2 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Amasty / Order Attributes for Magento 2

0 < 4.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

sansec.io: https://sansec.io/research/amasty-order-attributes-file-upload amasty.com: https://amasty.com/order-attributes-for-magento-2.html vulncheck.com: https://www.vulncheck.com/advisories/amasty-order-attributes-for-magento-2-unauthenticated-arbitrary-file-upload

Credits

Sansec