With this release, we have disabled PHP execution in the /media directory to harden the platform against a recurring class of vulnerabilities.
In the past 12 months, multiple CVEs have been published for both the Magento 2 core and commonly used third-party extensions. A significant number of them involved the /media directory, typically by dropping an executable file there. When we learn about such a CVE, we analyze behavior on our platform and, where possible, apply a platform-wide patch to mitigate the issue. We still rely on our customers and partners to patch their own sites as soon as possible so the CVE is fully resolved.
Blocking PHP execution in /media removes this directory as an attack vector and should keep us clear of any future CVEs of this kind. No action is required on your end.
Magento 2 thumbnail generation is unaffected: that script lives at /get.php, not /media/get.php, so on-the-fly image resizing continues to work as normal.
You can find the configuration in /data/web/nginx/server.block_media_php.conf. If you have a legitimate use case that relies on executing PHP from /media, please reach out to our support team.