cbcvebase.
CVE-2026-25523
published 2026-02-04

CVE-2026-25523: Magento-lts is a long-term support alternative to Magento Community Edition (CE). Prior to version 20.16.1, the admin url can be discovered without prior…

PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.29%
20.5th percentile
Magento-lts is a long-term support alternative to Magento Community Edition (CE). Prior to version 20.16.1, the admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations. This issue has been patched in version 20.16.1.

Affected

3 ranges
VendorProductVersion rangeFixed in
openmagemagento<= 20.16.0
openmagemagento-lts< 20.16.120.16.1
openmagemagento-lts>= 0 < 20.16.120.16.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.