A new security vulnerability in Magento and Adobe Commerce was publicly disclosed on March 17, 2026. Named PolyShell, it allows attackers to upload executable files to any store through the REST API — without needing an account or login. No production patch exists yet, and the exploit method is already circulating.
