What is the PolyShell vulnerability in Magento?

Unauthenticated code execution flaw in all stable Magento 2.x versions, enabling skimmers like this SVG beast. Adobe's fix

How do I detect SVG credit card stealer on my site?

Scan for 1x1 SVGs with onload/atob(). Check localStorage _mgx_cv. Block sketchy exfil domains/IPs per Sansec.

Nope. Still waiting on production update. Beta 2.4.9-alpha3+ exists, but risky for live stores.

🕳️ Vulnerabilities & CVEs

Your next online purchase? Could feed a hacker's wallet, thanks to a invisible pixel on Magento sites. Real shoppers, real risk—no sci-fi here.

theAIcatchup Apr 09, 2026 3 min read

Hackers hide full credit card skimmers in invisible 1x1 SVGs via Magento's PolyShell vuln, evading scanners. 𝕏
Fake checkout overlays steal validated card data, exfiltrated to Dutch domains—nearly 100 stores hit. 𝕏
Adobe lags on stable patch; store owners must hunt SVGs, check localStorage, block IPs now. 𝕏

Published by

Threat intelligence. Zero noise.

#Magento vulnerability #PolyShell #SVG skimmer #credit card stealer

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by Bleeping Computer