[MEDIUM] OpenMage LTS: Cross-user wishlist import leads to private option & file disclosure

PKSA-sg96-p97c-1769 CVE-2026-40098 GHSA-665x-ppc4-685w

Affected package: openmage/magento-lts

Affected version: <20.17.0

Reported by:
GitHub