{"uuid": "47105baa-19bd-4344-bfbf-b2f6a0c35849", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-54236", "type": "published-proof-of-concept", "source": "https://t.me/captainsmok3r_official/349", "content": "many people ask me:\nWhat is this vulnerability where attackers upload .txt files (like cox.txt) to websites with these paths? like:\nhttps://www.elgrantlapalero.com/media/customer_address/c/o/cox.txt\nhttps://tulip.store.oysterskin.ai/media/customer_address/a/z/azraelzeroday.txt\nhttps://zone-h.org/mirror/id/42506300\nAnswer: \nThese are two popular unauthenticated file upload vulnerabilities in Magento 2 / Adobe Commerce.\n1. SessionReaper (CVE-2025-54236)  Uses the path: /media/customer_address/c/o/cox.txt Comes from the customer address file upload feature (/customer/address_file/upload).\n2. PolyShell (newer vulnerability)  \nUses the path: /media/custom_options/quote/.../*.txt Exploited through the REST API when adding items to the cart with custom file options.\npoc:\nhttps://github.com/Baba01hacker666/cve-2025-54236", "creation_timestamp": "2026-06-04T14:09:50.000000Z"}