[HIGH] OpenMage LTS: Customer File Upload Extension Blocklist Bypass → Remote Code Execution

PKSA-ctbx-q2cr-ntvc CVE-2026-40488 GHSA-3j5q-7q7h-2hhv

Affected version: <=20.16.0

Reported by:
GitHub

[MEDIUM] OpenMage LTS: Cross-user wishlist import leads to private option & file disclosure

PKSA-sg96-p97c-1769 CVE-2026-40098 GHSA-665x-ppc4-685w

Affected version: <20.17.0

Reported by:
GitHub

[MEDIUM] OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module

PKSA-t8bb-kchx-xyxb CVE-2026-25525 GHSA-6vqf-6fhm-7rc6

Affected version: <20.17.0

Reported by:
GitHub

[HIGH] OpenMage LTS: Phar Deserialization leads to Remote Code Execution

PKSA-w28m-jx16-bpbn CVE-2026-25524 GHSA-fg79-cr9c-7369

Affected version: <20.17.0

Reported by:
GitHub

[MEDIUM] Magento's X-Original-Url header can expose admin url

PKSA-nz6n-ckcm-yb2x CVE-2026-25523 GHSA-jg68-vhv3-9r8f

Affected version: <20.16.1

Reported by:
GitHub