CVE-2026-40488

Name of the Vulnerable Software and Affected Versions Magento Long Term Support (LTS) versions prior to 20.17.0

Description The product custom option file upload feature uses an incomplete blocklist forbidden extensions = php,exe to prevent dangerous file uploads. This restriction can be bypassed by using alternative PHP-executable extensions such as .phtml, .phar, .php3, .php4, .php5, .php7, and .pht. Uploaded files are stored in the publicly accessible 'media/custom options/quote/' directory. In configurations where this directory lacks server-side execution restrictions, it allows Remote Code Execution (RCE), which is the ability of an attacker to execute arbitrary commands on the target server.

Recommendations Update to version 20.17.0.