[HIGH] OpenMage LTS: Customer File Upload Extension Blocklist Bypass → Remote Code Execution

PKSA-ctbx-q2cr-ntvc CVE-2026-40488 GHSA-3j5q-7q7h-2hhv

Affected package: openmage/magento-lts

Affected version: <=20.16.0

Reported by:
GitHub