CVE-2026-40098
published 2026-04-20CVE-2026-40098: Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a…
PriorityP430medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
EPSS
0.18%
7.3th percentile
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the shared wishlist add-to-cart endpoint authorizes access with a public `sharing_code`, but loads the acted-on wishlist item by a separate global `wishlist_item_id` and never verifies that the item belongs to the shared wishlist referenced by that code. This lets an attacker use a valid shared wishlist code for wishlist A and a wishlist item ID belonging to victim wishlist B to import victim item B into the attacker's cart through the shared wishlist flow for wishlist A. Because the victim item's stored `buyRequest` is reused during cart import, the victim's private custom-option data is copied into the attacker's quote. If the product uses a file custom option, this can be elevated to cross-user file disclosure because the imported file metadata is preserved and the download endpoint is not ownership-bound. Version 20.17.0 patches the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openmage | magento | < 20.17.0 | 20.17.0 |
| openmage | magento-lts | < 20.17.0 | 20.17.0 |
| openmage | magento-lts | >= 0 < 20.17.0 | 20.17.0 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
OpenMage LTS: Cross-user wishlist import leads to private option & file disclosure
ghsa·2026-04-21
CVE-2026-40098 [MEDIUM] CWE-862 OpenMage LTS: Cross-user wishlist import leads to private option & file disclosure
OpenMage LTS: Cross-user wishlist import leads to private option & file disclosure
# Cross-user wishlist item import via shared wishlist code, leading to private option disclosure and file-disclosure variant
## Summary
The shared wishlist add-to-cart endpoint authorizes access with a public `sharing_code`, but loads the acted-on wishlist item by a separate global `wishlist_item_id` and never verifies that the item belongs to the shared wishlist referenced by that code.
This lets an attacker use:
- a valid shared wishlist code for wishlist A
- a wishlist item ID belonging to victim wishlist B
to import victim item B into the attacker's cart through the shared wishlist flow for wishlist A.
Because the victim item's stored `buyRequest` is reused during cart import, the victim's private
VulDB
OpenMage magento-lts up to 20.16.x Download Endpoint sharing_code authorization (GHSA-665x-ppc4-685w)
vuldb·2026-04-20·CVSS 5.3
CVE-2026-40098 [MEDIUM] OpenMage magento-lts up to 20.16.x Download Endpoint sharing_code authorization (GHSA-665x-ppc4-685w)
A vulnerability, which was classified as critical, was found in OpenMage magento-lts up to 20.16.x. The impacted element is an unknown function of the component Download Endpoint. The manipulation of the argument sharing_code results in missing authorization.
This vulnerability is reported as CVE-2026-40098. The attack can be launched remotely. No exploit exists.
You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-20
Published