Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

OpenMage — Vulnerabilities & Security Advisories 24

Browse all 24 CVE security advisories affecting OpenMage. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenMage serves as a community-driven fork of Magento 1, providing an open-source e-commerce platform for online retailers seeking to maintain legacy systems after the original vendor ended support. Historically, its codebase has been susceptible to critical vulnerability classes, including Remote Code Execution (RCE), Cross-Site Scripting (XSS), and SQL injection, often stemming from outdated dependencies and insufficient input validation. With 24 Common Vulnerabilities and Exposures (CVEs) currently recorded, the project highlights the risks associated with maintaining older software architectures. While the community actively releases patches, the sheer volume of disclosed flaws underscores the inherent security debt in legacy frameworks. Major incidents have primarily involved unauthorized administrative access and data exfiltration, emphasizing the necessity for rigorous patch management and secure configuration practices to mitigate these persistent threats in deployed environments.

Top products by OpenMage: magento-lts
CVE IDTitleCVSSSeverityPublished
CVE-2026-40488 OpenMage LTS has Customer File Upload Extension Blocklist Bypass that Leads to Remote Code Execution — magento-ltsCWE-434 9.8AICriticalAI2026-04-20
CVE-2026-40098 OpenMage LTS imports cross-user wishlist item via shared wishlist code, leading to private option disclosure and file-disclosure variant — magento-ltsCWE-862 8.1AIHighAI2026-04-20
CVE-2026-25525 OpenMage LTS has Path Traversal Filter Bypass in Dataflow Module — magento-ltsCWE-22 4.9 Medium2026-04-20
CVE-2026-25524 OpenMage LTS's Phar Deserialization leads to Remote Code Execution — magento-ltsCWE-502 8.1 High2026-04-20
CVE-2026-25523 Magento's X-Original-Url header can expose admin url — magento-ltsCWE-200 5.3 Medium2026-02-04
CVE-2025-64174 OpenMage is vulnerable to XSS in Admin Notifications — magento-ltsCWE-79 4.8 -2025-11-06
CVE-2025-27400 Magento vulnerable to stored XSS in theme config fields — magento-ltsCWE-79 2.9 Low2025-02-28
CVE-2024-41676 Magento LTS vulnerable to stored Cross-site Scripting (XSS) in admin system configs — magento-ltsCWE-79 4.1 Medium2024-07-29
CVE-2023-41879 Magento LTS's guest order "protect code" can be brute-forced too easily — magento-ltsCWE-330 7.5 High2023-09-11
CVE-2023-23617 OpenMage LTS has DoS vulnerability in MaliciousCode filter — magento-ltsCWE-835 4.9 Medium2023-01-27
CVE-2021-41231 OpenMage LTS DataFlow upload remote code execution vulnerability — magento-ltsCWE-77 7.2 High2023-01-27
CVE-2021-41144 OpenMage LTS authenticated remote code execution through layout update — magento-ltsCWE-77 8.8 High2023-01-27
CVE-2021-41143 OpenMage LTS arbitrary file deletion in customer media allows for remote code execution — magento-ltsCWE-77 7.2 High2023-01-27
CVE-2021-39217 OpenMage LTS arbitrary command execution in custom layout update through blocks — magento-ltsCWE-77 7.2 High2023-01-27
CVE-2021-21395 Magneto-lts vulnerable to Cross-Site Request Forgery — magento-ltsCWE-352 4.2 Medium2023-01-27
CVE-2021-32759 Data Flow Sanitation Issue Fix — magento-ltsCWE-20 7.2 High2021-08-27
CVE-2021-32758 Layout XML Arbitrary Code Fix — magento-ltsCWE-91 7.2 High2021-08-27
CVE-2021-21427 Backport for CVE-2021-21024 Blind SQLi from Magento 2 — magento-ltsCWE-89 9.1 Critical2021-04-21
CVE-2021-21426 Fixes a bug in Zend Framework's Stream HTTP Wrapper — magento-ltsCWE-502 9.8 Critical2021-04-21
CVE-2020-26295 CMS Editor code execution — magento-ltsCWE-22 8.7 High2021-01-21
CVE-2020-26285 Widget instances allows a hacker to inject an executable file on the server on OpenMage — magento-ltsCWE-22 8.7 High2021-01-21
CVE-2020-26252 Layout XML RCE Vulnerability in OpenMage — magento-ltsCWE-22 8.7 High2021-01-20
CVE-2020-15244 RCE in Magento — magento-ltsCWE-502 8.0 High2020-10-21
CVE-2020-15151 Observable Timing Discrepancy in OpenMage LTS — magento-ltsCWE-203 8.0 High2020-08-19

This page lists every published CVE security advisory associated with OpenMage. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.