CVE-2025-64174Cross-site Scripting in Magento-lts

CWE-79Cross-site Scripting4 documents4 sources
Severity
4.6MEDIUMNVD
EPSS
0.0%
top 91.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Openmage Magento-ltsOpenmage Magento
Timeline
PublishedNov 6

Description

Magento-lts is a long-term support alternative to Magento Community Edition (CE). Versions 20.15.0 and below are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin with direct database access or the admin notification feed source to inject malicious scripts into vulnerable fields. Unescaped translation strings and URLs are printed into contexts inside app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php. A malicious translation or

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Packages3 packages

NVDopenmage/magento< 20.16.0
CVEListV5openmage/magento-lts< 20.16.0
Packagistopenmage/magento-lts< 20.16.0

Patches

Patch: github.com

🔴Vulnerability Details

3
CVEList
OpenMage is vulnerable to XSS in Admin Notifications2025-11-06
OSV
OpenMage vulnerable to XSS in Admin Notifications2025-11-03
GHSA
OpenMage vulnerable to XSS in Admin Notifications2025-11-03
CVE-2025-64174 — Cross-site Scripting in Magento-lts | cvebase