PatchSiren cyber security CVE debrief
CVE-2026-53787 Amasty CVE debrief
CVE-2026-53787 is a critical unauthenticated arbitrary file upload vulnerability in Amasty Order Attributes for Magento 2 before version 4.0.0. The vulnerability allows unauthenticated attackers to write arbitrary files to the store's media directory by submitting files of any type or name to the upload endpoint without authentication, session validation, or cart context. This can lead to remote code execution on servers where the media directory permits PHP execution, or enable malware hosting, stored cross-site scripting via HTML or SVG uploads, and path traversal to write files outside the intended upload directory.
- Vendor
- Amasty
- Product
- Order Attributes for Magento 2
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Administrators and users of Amasty Order Attributes for Magento 2 before version 4.0.0 should be aware of this vulnerability and take immediate action to mitigate the risk.
Technical summary
The vulnerability has a CVSS score of 9.3 and is classified as CRITICAL. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
high
Recommended defensive actions
- Upgrade to version 4.0.0 or later of Amasty Order Attributes for Magento 2.
- Restrict access to the upload endpoint to authenticated users only.
- Validate and sanitize user input to prevent arbitrary file uploads.
- Monitor the media directory for suspicious files and activity.
Evidence notes
The vendor name is unknown, but evidence suggests that the product is related to Amasty.
Official resources
CVE-2026-53787 was published on 2026-06-12T15:16:31.557Z and modified on 2026-06-12T16:07:49.437Z.