A critical security flaw in Magento's REST API enables unauthenticated attackers to upload malicious executables, potentially leading to remote code execution and account takeover. The vulnerability, dubbed PolyShell, exploits a weakness that allows attackers to disguise malicious code as an image, bypassing security measures. This flaw could have severe consequences, as it allows attackers to gain control of Magento accounts without prior authentication. The vulnerability is particularly concerning, as it does not require any user interaction or credentials to exploit1. Sansec, the firm that discovered the flaw, has warned of its potential impact, highlighting the need for immediate attention from Magento users and administrators. The existence of this flaw matters to security practitioners, as it underscores the importance of securing REST APIs and validating user uploads to prevent malicious activity.