CVE-2026-25525
published 2026-04-20CVE-2026-25525: Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a…
PriorityP431medium4.9CVSS 3.1
AVNACLPRHUINSUCHINAN
EPSS
0.50%
39.1th percentile
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the Dataflow module in OpenMage LTS uses a weak blacklist filter (`str_replace('../', '', $input)`) to prevent path traversal attacks. This filter can be bypassed using patterns like `..././` or `....//`, which after the replacement still result in `../`. An authenticated administrator can exploit this to read arbitrary files from the server filesystem. Version 20.17.0 patches the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openmage | magento | < 20.17.0 | 20.17.0 |
| openmage | magento-lts | < 20.17.0 | 20.17.0 |
| openmage | magento-lts | >= 0 < 20.17.0 | 20.17.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module
ghsa·2026-04-21
CVE-2026-25525 [MEDIUM] CWE-184 OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module
OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module
The Dataflow module in OpenMage LTS uses a weak blacklist filter (`str_replace('../', '', $input)`) to prevent path traversal attacks. This filter can be bypassed using patterns like `..././` or `....//`, which after the replacement still result in `../`. An authenticated administrator can exploit this to read arbitrary files from the server filesystem.
| Metric | Value | Justification |
| ------------------------ | --------- | ------------------------------------- |
| Attack Vector (AV) | Network | Exploitable via admin panel |
| Attack Complexity (AC) | Low | Simple bypass pattern |
| Privileges Required (PR) | High | Requires admin authentication |
| User Interaction (UI) | None | No additional user interaction needed
VulDB
OpenMage magento-lts up to 20.16.x Dataflow path traversal (GHSA-6vqf-6fhm-7rc6)
vuldb·2026-04-20·CVSS 4.9
CVE-2026-25525 [MEDIUM] OpenMage magento-lts up to 20.16.x Dataflow path traversal (GHSA-6vqf-6fhm-7rc6)
A vulnerability was found in OpenMage magento-lts up to 20.16.x and classified as critical. This impacts an unknown function of the component Dataflow Module. Such manipulation leads to path traversal.
This vulnerability is traded as CVE-2026-25525. The attack may be launched remotely. There is no exploit available.
It is suggested to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-20
Published