CVE-2021-36042: Magento executes code via the API File Option Upload Extension

May 24, 2022 (updated November 7, 2025)

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the API File Option Upload Extension. An attacker with Admin privileges can achieve unrestricted file upload which can result in remote code execution.

References

github.com/advisories/GHSA-6cwv-wj7v-73xp
github.com/magento/magento2
helpx.adobe.com/security/products/magento/apsb21-64.html
nvd.nist.gov/vuln/detail/CVE-2021-36042

Code Behaviors & Features

Detect and mitigate CVE-2021-36042 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →