CVE-2026-25525— OpenMage LTS has Path Traversal Filter Bypass in Dataflow Module
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-25525
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OpenMage LTS has Path Traversal Filter Bypass in Dataflow Module
Source: NVD (National Vulnerability Database)
Vulnerability Description
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the Dataflow module in OpenMage LTS uses a weak blacklist filter (`str_replace('../', '', $input)`) to prevent path traversal attacks. This filter can be bypassed using patterns like `..././` or `....//`, which after the replacement still result in `../`. An authenticated administrator can exploit this to read arbitrary files from the server filesystem. Version 20.17.0 patches the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
OpenMage Magento Lts(Magento) 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OpenMage Magento Lts(Magento)是OpenMage组织的一个电子商务系统。 OpenMage Magento Lts(Magento)20.17.0之前版本存在安全漏洞,该漏洞源于Dataflow模块使用弱黑名单过滤器防止路径遍历攻击,可能导致经过身份验证的管理员读取服务器上的任意文件。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| OpenMage | magento-lts | < 20.17.0 | - |
II. Public POCs for CVE-2026-25525
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-25525
请登录查看更多情报信息。
Same Patch Batch · OpenMage · 2026-04-20 · 4 CVEs total
| CVE-2026-25524 | 8.1 HIGH | OpenMage LTS's Phar Deserialization leads to Remote Code Execution |
| CVE-2026-40098 | OpenMage LTS imports cross-user wishlist item via shared wishlist code, leading to private | |
| CVE-2026-40488 | OpenMage LTS has Customer File Upload Extension Blocklist Bypass that Leads to Remote Code |
IV. Related Vulnerabilities
Same product: magento-lts
- CVE-2026-40488
OpenMage LTS has Customer File Upload Extension Blocklist By - CVE-2026-40098
OpenMage LTS imports cross-user wishlist item via shared wis - CVE-2026-25524
OpenMage LTS's Phar Deserialization leads to Remote Code Exe - CVE-2026-25523
Magento's X-Original-Url header can expose admin url - CVE-2025-64174
OpenMage is vulnerable to XSS in Admin Notifications
Same vendor: OpenMage
- CVE-2026-40488
OpenMage LTS has Customer File Upload Extension Blocklist By - CVE-2026-40098
OpenMage LTS imports cross-user wishlist item via shared wis - CVE-2026-25524
OpenMage LTS's Phar Deserialization leads to Remote Code Exe - CVE-2026-25523
Magento's X-Original-Url header can expose admin url - CVE-2025-64174
OpenMage is vulnerable to XSS in Admin Notifications
Same weakness: CWE-22
- CVE-2026-8274
npitre cramfs-tools Directory cramfsck.c do_directory path t - CVE-2022-50956
WordPress Plugin amministrazione-aperta 3.7.3 Local File Rea - CVE-2026-8215
Industrial Application Software IAS Canias ERP RMI iasReques - CVE-2026-42605
AzuraCast: Path Traversal in `currentDirectory` Parameter En - CVE-2026-42574
apko dirFS has a symlink-following path traversal that allow
V. Comments for CVE-2026-25525
No comments yet