Which versions of Amasty Order Attributes are affected by EUVD-2026-36430?

Amasty Order Attributes for Magento 2 (versions prior to 4.0.0) contains a critical unauthenticated file upload vulnerability enabling remote code execution without authentication or privilege…. A patch is available.

How to fix or mitigate EUVD-2026-36430?

Within 24 hours: Identify all Magento 2 instances running Amasty Order Attributes and document current versions. Within 7 days: Upgrade to Amasty Order Attributes version 4.0.0 or later across all systems and verify post-upgrade stability. Within 30 days: Audit media directory for malicious file uploads, review application and web server logs for exploitation attempts, and confirm no unauthorized code execution occurred.

Amasty Order Attributes EUVD-2026-36430

Q: What is the CVSS score of EUVD-2026-36430?

EUVD-2026-36430 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

| CVE-2026-53787 CRITICAL

Unrestricted Upload of File with Dangerous Type (CWE-434)

2026-06-12 VulnCheck

GHSA-mgg8-gq8g-gq88

Adobe RCE XSS File Upload Path Traversal PHP Order Attributes For Magento 2

9.3

CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY

9.3 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

9.8 CRITICAL

Unauthenticated network-reachable upload endpoint with no user interaction; arbitrary file write yields RCE on typical Magento deployments, so C/I/A all High.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch available

Jun 12, 2026 - 16:01 EUVD

Analysis Generated

Jun 12, 2026 - 14:52 vuln.today

CVE Published

Jun 12, 2026 - 13:52 cve.org

CRITICAL 9.3

DescriptionCVE.org

Amasty Order Attributes for Magento 2 before version 4.0.0 contains an unauthenticated arbitrary file upload vulnerability that allows unauthenticated attackers to write arbitrary files to the store's media directory by submitting files of any type or name to the upload endpoint without authentication, session validation, or cart context. Attackers can upload PHP files to achieve remote code execution on servers where the media directory permits PHP execution, or alternatively enable malware hosting, stored cross-site scripting via HTML or SVG uploads, and path traversal to write files outside the intended upload directory.

Articles & Coverage 2

News 3 New PHP Vulnerabilities - 2 Critical, 1 High Severity Jun 13, 2026 News Critical Unauthenticated File Upload RCE in Adobe Magento 2 Amasty - CVE-2026-53787 Jun 12, 2026

AnalysisAI

Unauthenticated arbitrary file upload in Amasty Order Attributes for Magento 2 before 4.0.0 lets remote attackers drop arbitrary files into the store's media directory without authentication, session validation, or cart context. Where the media directory permits PHP execution, this escalates to unauthenticated remote code execution; otherwise it enables stored XSS via HTML/SVG, malware hosting, and path-traversal writes outside the intended directory. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify Magento store with Order Attributes extension

Delivery

Send unauthenticated multipart POST to upload endpoint

Exploit

Write PHP webshell with traversal filename into pub/media

Execution

Request uploaded shell URL to execute code

Impact

Deploy payment skimmer or pivot into Magento backend

Access

Identify Magento store with Order Attributes extension

Delivery

Send unauthenticated multipart POST to upload endpoint

Exploit

Write PHP webshell with traversal filename into pub/media

Execution

Request uploaded shell URL to execute code

Impact

Deploy payment skimmer or pivot into Magento backend

Vulnerability AssessmentAI

Exploitation	Target store must run Amasty Order Attributes for Magento 2 at any version below 4.0.0 with its file-upload endpoint reachable from the internet (the default for any public Magento storefront). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	All signals point in the same direction: the CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N with VC:H/VI:H/VA:H reflects a network-reachable, no-auth, no-interaction upload that fully compromises the vulnerable system when PHP execution in media is possible. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker scrapes Magento storefronts, identifies those running the Amasty Order Attributes extension, and sends an unauthenticated multipart POST to the upload endpoint carrying a small PHP webshell with a traversal-laden filename. On a store where pub/media executes PHP, the attacker then requests the uploaded shell URL to gain RCE as the webserver user and pivot to inject a Magecart-style payment skimmer; on hardened stores the same upload is reused to host malware or land a stored XSS via SVG. …
Remediation	Vendor-released patch: upgrade Amasty Order Attributes for Magento 2 to version 4.0.0 or later via Composer or the Amasty marketplace, then run bin/magento setup:upgrade and clear caches; consult the Sansec research at https://sansec.io/research/amasty-order-attributes-file-upload and the VulnCheck advisory at https://www.vulncheck.com/advisories/amasty-order-attributes-for-magento-2-unauthenticated-arbitrary-file-upload for indicators. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Magento 2 instances running Amasty Order Attributes and document current versions. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48030 CRITICAL Act Now

9.9 Jun 09

Authenticated remote code execution in Pheditor 2.0.1-2.0.3 lets any logged-in user with the default terminal permission

CVE-2026-52778 CRITICAL Act Now

9.8 Jun 08

Remote code execution in YesWiki prior to 4.6.6 allows unauthenticated attackers to inject arbitrary PHP via the Bazar C

CVE-2026-45060 CRITICAL Act Now

9.8 Jun 11

Unauthenticated blind SQL injection in ClipBucket v5 prior to version 5.5.3 - #129 allows remote attackers to exfiltrate

CVE-2026-38615 CRITICAL Act Now

9.8 Jun 09

DedeCMS V5.7.118 is vulnerable to Command Execution in file_manage_control.php.

CVE-2026-38581 CRITICAL Act Now