Security: OpenMage/magento-lts
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Weak API Session ID — Predictable MD5 of Time-Derived Inputs - magento-ltsGHSA-2cwr-gcf9-pvxr published
May 4, 2026 by sreichelCritical -
Open Redirect via Unvalidated `uenc` Parameter in `stockAction()` - magento-ltsGHSA-qpgq-5g92-j5q8 published
May 4, 2026 by sreichelModerate -
Customer File Upload Extension Blocklist Bypass → Remote Code ExecutionGHSA-3j5q-7q7h-2hhv published
Apr 18, 2026 by sreichelModerate -
Cross-user wishlist item import via shared wishlist code, leading to private option disclosure and file-disclosure variantGHSA-665x-ppc4-685w published
Apr 18, 2026 by sreichelModerate -
Reflected XSS - Import -> Data Flow (profiles)GHSA-x8jv-q8j2-487c published
May 4, 2026 by sreichelModerate -
Phar Deserialization leads to Remote Code ExecutionGHSA-fg79-cr9c-7369 published
Apr 18, 2026 by sreichelHigh -
Path Traversal Filter Bypass in Dataflow ModuleGHSA-6vqf-6fhm-7rc6 published
Apr 18, 2026 by sreichelModerate -
X-Original-Url header can expose admin urlGHSA-jg68-vhv3-9r8f published
Feb 2, 2026 by colinmollenhourModerate -
XSS in Admin NotificationsGHSA-qv78-c8hc-438r published
Nov 1, 2025 by sreichelModerate -
Stored XSS in theme config fieldsGHSA-5pxh-89cx-4668 published
Feb 28, 2025 by colinmollenhourLow