cvedb.io
CVE-2026-25525
MEDIUM · CVSS 4.9
EPSS exploitation probability: 0%
Published 2026-04-20T17:16:32.460 · Last modified 2026-06-17T10:24:47.563

Summary

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the Dataflow module in OpenMage LTS uses a weak blacklist filter (`str_replace('../', '', $input)`) to prevent path traversal attacks. This filter can be bypassed using patterns like `..././` or `....//`, which after the replacement still result in `../`. An authenticated administrator can exploit this to read arbitrary files from the server filesystem. Version 20.17.0 patches the issue.

Affected products

openmage — magento

Does this affect you?

Add your gear to cvedb and we'll alert you only when openmage ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.