EUVD-2026-23904

OpenMage LTS: Customer File Upload Extension Blocklist Bypass → Remote Code Execution...

EUVD-2026-23903

OpenMage LTS: Cross-user wishlist import leads to private option & file disclosure...

EUVD-2026-23891

OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module...

EUVD-2026-23889

OpenMage LTS: Phar Deserialization leads to Remote Code Execution...

CVE-2026-40488

Magento Long Term Support LTS is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the product custom option file upload in OpenMage LTS uses an incomplete...

CVE-2026-40098

Magento Long Term Support LTS is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the shared wishlist add-to-cart endpoint authorizes access with a public...

CVE-2026-25525 OpenMage LTS has Path Traversal Filter Bypass in Dataflow Module

Magento Long Term Support LTS is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the Dataflow module in OpenMage LTS uses a weak blacklist filter...

CVE-2026-25525 OpenMage LTS has Path Traversal Filter Bypass in Dataflow Module

Magento Long Term Support LTS is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the Dataflow module in OpenMage LTS uses a weak blacklist filter...

CVE-2026-25525

OpenMage LTS (Magento Long Term Support) Dataflow module before 20.17.0 is affected by a path traversal filter bypass. The weak blacklist uses str_replace('../', '', $input), which can be bypassed with patterns like ..././ or ....//, still resulting in ../ after replacement. An authenticated admi...

CVE-2026-25524

OpenMage LTS (Magento LTS unofficial fork) before v20.17.0 is affected by a Phar deserialization flaw. PHP functions getimagesize(), file_exists(), and is_readable() can deserialize when given phar:// stream wrapper paths, used during image validation/media handling with controllable file paths. ...

PT-2026-33796

Name of the Vulnerable Software and Affected Versions Magento Long Term Support LTS versions prior to 20.17.0 Description PHP functions such as getimagesize, file exists, and is readable can trigger deserialization when processing phar:// stream wrapper paths. The software uses these functions wi...

PT-2026-33797

The Dataflow module in OpenMage LTS uses a weak blacklist filter str replace'../', '', $input to prevent path traversal attacks. This filter can be bypassed using patterns like ..././ or ....//, which after the replacement still result in ../. An authenticated administrator can exploit this to re...

PT-2026-33802

Cross-user wishlist item import via shared wishlist code, leading to private option disclosure and file-disclosure variant Summary The shared wishlist add-to-cart endpoint authorizes access with a public sharing code, but loads the acted-on wishlist item by a separate global wishlist item id and...