An August 2025 bugfix committed to the Magento code repository (only compatible with beta & alpha versions of Magento) revealed a critical vulnerability in how current supported versions of Magento implemented a custom options feature.
The custom options feature is intended to allow users to customize a product being purchased, e.g. – think custom logo for a clothing item, for example.
The trouble arises from a lack of verification of the type of data being uploaded, a classic validation flaw that allows bad hats to push malicious executable code using a feature meant for image files, etc.
This bug has gone unnoticed until late March 2026 when various public warnings about the issue began to surface and attacks against Magento sites commenced.
The attack consists of two steps:
- Attacker pushes executable code to the file system via the custom options feature.
- Attacker attempts to execute the code.
Default Magento configuration could block step 2; however, as with many such situations, individual configurations and attack methods can vary greatly. Some sites clearly were vulnerable, and both steps could and were achieved, while a great many sites (arguably the majority of over 100,000 Magento sites globally) were at least vulnerable to step 1.
An attack that achieves step 1 but not step 2 remains a serious risk, with malware pushed into the Magento installation waiting to be executed and to fully compromise that system.
Successful exploitation results in site compromise with the attacker running code with the same privileges as Magento itself. From there, bad hats can steal customer information (data exfiltration) and take other actions.
What has made this situation notable is the lack of availability of security patches for production versions of Magento 2. The presence of the patch for the prerelease version likely made the issue public while providing no means for site owners to protect their in-use versions of Magento.
Various community patches have been offered, but none provide the same level of protection as the official patch.
The Problem with Current Industry Advice
Since Polyshell became public, the Magento community has rapidly sought a solution. Much of the publicly available advice does not fully address the vulnerability or may inadvertently disrupt essential site functions if applied without a full understanding of the system’s architecture.
“Patch Now”
Some sources are urging site owners to “patch now”, however the official patch is only compatible with prerelease versions of Magento, not used by the vast majority of sites, and so is unsuitable for most.
Of course, updating a live, revenue-generating e-commerce site to an alpha or beta version is labor-intensive, carries significant stability risks, and is ill-advised.
Meanwhile, available community patches are arguably incomplete. One our team reviewed attempted to restrict uploads to image files only without fully validating the data uploaded. Using such a patch could still allow an attacker to introduce malicious code disguised as an innocuous file.
Blocking Access to Custom Options
Another common recommendation is to block access to the pub/media/custom_options directories. While this action can halt file execution, applying it without a clear understanding of your server’s architecture may disrupt your site’s functionality.
How QuestaVolta Protected Customers from Day One
When Polyshell became public, QuestaVolta deployed an immediate mitigation solution for Polyshell, effective for all Magento sites hosted on our platform.
We were able to achieve this with a single global rule added to our integrated market-leading Cloudflare-based WAF solution, which we include with all our Magento hosting plans.
Following the firewall mitigation, we provided a complete patch for Polyshell that is compatible with Magento versions 2.4.8, 2.4.7, 2.4.5, 2.4.4, and 2.4.3.
The patch properly handles file validation and custom product options at the code level, providing full protection against Polyshell.
What makes QuestaVolta Different? In this case, Zero Polyshell comprises.
- We are not just a hosting company; we support and monitor your site, not just our servers.
- Real solutions to problems. Are you running an older version of Magento 2? We can help you host it safely by protecting even EOL versions from compromise.
- Market-leading and affordable top-tier web application firewall (WAF) solutions.
- Malware scanning
- Managed backups
- Lightning-fast technical performance with Cloudflare caching
- Lightning fast support from a technology company you can actually talk to
- Collaboration on solutions, we will not just “refer you to your development team.”
- Are you a developer? We can make your life a lot easier. Call us.
QuestaVolta provides a variety of hosting solutions. Contact us for a no-cost, no-obligation consultation and/or review of your current solution.
Partner with a Host That Anticipates and Handles Threats
QuestaVolta provides custom hosting solutions that are engineered specifically for the complex demands of enterprise e-commerce sites. We operate our own infrastructure, ensuring you maintain full ownership, control, and transparency.
Call us at 866-703-6399, schedule a free consultation.