Magento “PolyShell” File Upload Vulnerability

Update timeline

1. investigating Mar 18, 2026, 06:32 PM UTC

   We are aware of recent reports regarding a potential unrestricted file upload vulnerability, commonly referred to as “PolyShell”, affecting Magento and Adobe Commerce. At this time, our teams are actively reviewing server environments to assess any potential impact and determine whether any systems/customer sites may be affected. We will provide further updates as more information becomes available. If you have any questions or concerns. You can reach us through the following channels: Live Chat: https://my.liquidweb.com/ Email: [email protected]

2. monitoring Mar 19, 2026, 12:15 AM UTC

   Following our investigation, we are implementing a mitigation measure for Magento 2 installations on our Managed hosting platform for which we have access between 21:00 EDT and 23:00 EDT tonight. We have sent a ticket to all customers with servers where mitigations will be applied. For these customers, we will be deploying an .htaccess file to block direct web-request access to the uploads directory. This change is expected to have minimal impact. If your site has been customised to serve or process requests through the upload directory, this functionality will be affected. Please contact us with any questions. Customers with Magento2 websites who did not receive a ticket should review the Sansec article below announcing this vulnerability and apply the recommended changes: https://sansec.io/research/magento-polyshell If you have any questions or concerns. You can reach us through the following channels: Live Chat: https://my.liquidweb.com/ Email: [email protected] We appreciate your patience and understanding.

3. resolved Mar 20, 2026, 12:29 AM UTC

   We have taken steps to prohibit execution of files exploiting the "PolyShell" unrestricted file upload vulnerability on a subset of servers in our environment. We have sent a ticket to all customers we've protected identifying the servers and paths involved. If you have any questions or concerns. You can reach us through the following channels: Live Chat: https://my.liquidweb.com/ Email: [email protected]