[HIGH] OpenMage LTS: Customer File Upload Extension Blocklist Bypass → Remote Code Execution

PKSA-ctbx-q2cr-ntvc CVE-2026-40488 GHSA-3j5q-7q7h-2hhv

Affected version: <=20.16.0

Reported by:
GitHub

[MEDIUM] OpenMage LTS: Cross-user wishlist import leads to private option & file disclosure

PKSA-sg96-p97c-1769 CVE-2026-40098 GHSA-665x-ppc4-685w

Affected version: <20.17.0

Reported by:
GitHub

[MEDIUM] OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module

PKSA-t8bb-kchx-xyxb CVE-2026-25525 GHSA-6vqf-6fhm-7rc6

Affected version: <20.17.0

Reported by:
GitHub

[HIGH] OpenMage LTS: Phar Deserialization leads to Remote Code Execution

PKSA-w28m-jx16-bpbn CVE-2026-25524 GHSA-fg79-cr9c-7369

Affected version: <20.17.0

Reported by:
GitHub

[MEDIUM] Magento's X-Original-Url header can expose admin url

PKSA-nz6n-ckcm-yb2x CVE-2026-25523 GHSA-jg68-vhv3-9r8f

Affected version: <20.16.1

Reported by:
GitHub

[MEDIUM] OpenMage vulnerable to XSS in Admin Notifications

PKSA-t425-mpgn-4yhs CVE-2025-64174 GHSA-qv78-c8hc-438r

Affected version: <20.16.0

Reported by:
GitHub

[LOW] Magento LTS vulnerable to stored XSS in theme config fields

PKSA-626k-1yg1-m164 CVE-2025-27400 GHSA-5pxh-89cx-4668

Affected version: <20.12.3

Reported by:
GitHub

[MEDIUM] Magento LTS vulnerable to stored Cross-site Scripting (XSS) in admin system configs

PKSA-w1pc-fvwg-8vsf CVE-2024-41676 GHSA-5vrp-638w-p8m2

Affected version: <20.10.1

Reported by:
GitHub

[MEDIUM] Magento LTS vulnerable to stored XSS in admin file form

PKSA-7kjg-jm3v-dfw2 GHSA-gp6m-fq6h-cjcx

Affected version: <19.5.3|>=20.0.0,<20.5.0

Reported by:
GitHub

[HIGH] Magento LTS vulnerable to Stored XSS via TinyMCE WYSIWYG Editor

PKSA-gyfx-x49w-8nbg GHSA-9j5w-2cqc-cwj9

Affected version: <20.2.0

Reported by:
GitHub