Openmage Magento-Lts vulnerabilities
29 known vulnerabilities affecting openmage/magento-lts.
Total CVEs
29
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH15MEDIUM9LOW1
Vulnerabilities
Page 2 of 2
CVE-2026-40098P4MEDIUMCVSS 5.4fixed in 20.17.02026-04-20
CVE-2026-40098 [MEDIUM] CWE-862 CVE-2026-40098: Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative t
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the shared wishlist add-to-cart endpoint authorizes access with a public `sharing_code`, but loads the acted-on wishlist item by
ghsanvd
CVE-2026-42207P4MEDIUMCVSS 6.1fixed in 20.18.02026-05-15
CVE-2026-42207 [MEDIUM] CWE-601 CVE-2026-42207: Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative t
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, Mage_ProductAlert_AddController::stockAction() reads the uenc query parameter and passes it directly to $this->_redirectUrl($backUrl) wi
ghsanvd
CVE-2026-42458P4MEDIUMCVSS 5.3fixed in 20.18.02026-05-15
CVE-2026-42458 [MEDIUM] CWE-87 CVE-2026-42458: Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative t
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, there is a reflected XSS vulnerability under admin panel -> System -> Import/Export -> Dataflow - Profiles. This vulnerability is fixed i
ghsanvd
CVE-2026-25523P4MEDIUMCVSS 5.3fixed in 20.16.12026-02-04
CVE-2026-25523 [MEDIUM] CWE-200 CVE-2026-25523: Magento-lts is a long-term support alternative to Magento Community Edition (CE). Prior to version 2
Magento-lts is a long-term support alternative to Magento Community Edition (CE). Prior to version 20.16.1, the admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations. This issue has been patched in version 20.16.1.
ghsanvdosv
CVE-2024-20717P4MEDIUMCVSS 5.4≥ 20.0.0, < 20.5.0≥ 0, < 19.5.32024-02-27
CVE-2024-20717 [MEDIUM] CWE-79 Magento LTS vulnerable to stored XSS in admin file form
Magento LTS vulnerable to stored XSS in admin file form
### Summary
OpenMage is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields.
### Details
`Mage_Adminhtml_Block_System_Config_Form_Field_File` does not escape filename value in certain situations.
Same as: https://nvd.nist.gov/vuln/detail/C
ghsaosv
CVE-2025-64174P4MEDIUMCVSS 4.8fixed in 20.16.02025-11-06
CVE-2025-64174 [MEDIUM] CWE-79 CVE-2025-64174: Magento-lts is a long-term support alternative to Magento Community Edition (CE). Versions 20.15.0 a
Magento-lts is a long-term support alternative to Magento Community Edition (CE). Versions 20.15.0 and below are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin with direct database access or the admin notification feed source to inject malicious scripts into vulnerable fields. Unescaped translation stri
ghsanvdosv
CVE-2024-41676P4MEDIUMCVSS 4.8fixed in 20.10.12024-07-29
CVE-2024-41676 [MEDIUM] CWE-79 CVE-2024-41676: Magento-lts is a long-term support alternative to Magento Community Edition (CE). This XSS vulnerabi
Magento-lts is a long-term support alternative to Magento Community Edition (CE). This XSS vulnerability affects the design/header/welcome, design/header/logo_src, design/header/logo_src_small, and design/header/logo_alt system configs.They are intended to enable admins to set a text in the two cases, and to define an image url for the other two case
ghsanvdosv
CVE-2021-21395P4MEDIUMCVSS 4.3fixed in 19.4.22v>= 20.0.0, < 20.0.192023-01-27
CVE-2021-21395 [MEDIUM] CWE-352 CVE-2021-21395: Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official rele
Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is clicked and user submits new password. This issue is patched in version
ghsanvdosv
CVE-2025-27400P4LOWCVSS 2.9fixed in 20.12.32025-02-28
CVE-2025-27400 [LOW] CWE-79 CVE-2025-27400: Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative t
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Versions prior to 20.12.3 and 20.13.0 contain a vulnerability that allows script execution in the admin panel which could lead to cross-site scripting against
ghsanvdosv
← Previous2 / 2