A critical unauthenticated remote code execution vulnerability (APSB25-94) in Magento Open Source and Adobe Commerce allows attackers to upload polyglot files containing PHP code. By exploiting the REST API's cart item custom options, attackers can bypass basic image validation to deploy web shells and execute arbitrary code on the server.