EXECUTIVE SUMMARY:
A set of both vulnerabilities have been identified in OpenMage LTS, a community-driven project providing an alternative to the Magento Community Edition e-commerce platform. Affected software includes the composer/openmage/magento-lts package, specifically versions less than or equal. It have been discovered, both allowing remote code execution. The first vulnerability, involves a bypass of a custom option file upload blocklist, while the second, exploits deserialization of untrusted data through the Phar stream wrapper. These vulnerabilities can be exploited through various means, including file uploads and web requests, and have significant implications for confidentiality, integrity, and availability. The business risk associated with these vulnerabilities is substantial, as they can enable attackers to execute arbitrary code on affected systems, leading to potential data breaches and system compromise. As a result, timely remediation is essential to prevent exploitation and minimize the risk of a security breach. CVE-2026-40488 with a CVSS score of 8.7 – The product custom option file upload in OpenMage LTS uses an incomplete blocklist to prevent dangerous file uploads. This blocklist can be trivially bypassed by using alternative PHP-executable extensions such as .phtml, .phar, .php3, .php4, .php5, .php7, and .pht. Files are stored in the publicly accessible media/custom_options/quote/ directory, which lacks server-side execution restrictions for some configurations, enabling Remote Code Execution if this directory is not explicitly denied script execution. CVE-2026-25524 with a CVSS score of 8.1 – It is an PHP functions such as getimagesize(), file_exists(), and is_readable() can trigger deserialization when processing phar:// stream wrapper paths. OpenMage LTS uses these functions with potentially controllable file paths during image validation and media handling. An attacker who can upload a malicious phar file and trigger one of these functions with a phar:// path can achieve arbitrary code execution.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A set of both vulnerabilities have been identified in OpenMage LTS, a community-driven project providing an alternative to the Magento Community Edition e-commerce platform. Affected software includes the composer/openmage/magento-lts package, specifically versions less than or equal. It have been discovered, both allowing remote code execution. The first vulnerability, involves a bypass of a custom option file upload blocklist, while the second, exploits deserialization of untrusted data through the Phar stream wrapper. These vulnerabilities can be exploited through various means, including file uploads and web requests, and have significant implications for confidentiality, integrity, and availability. The business risk associated with these vulnerabilities is substantial, as they can enable attackers to execute arbitrary code on affected systems, leading to potential data breaches and system compromise. As a result, timely remediation is essential to prevent exploitation and minimize the risk of a security breach. CVE-2026-40488 with a CVSS score of 8.7 – The product custom option file upload in OpenMage LTS uses an incomplete blocklist to prevent dangerous file uploads. This blocklist can be trivially bypassed by using alternative PHP-executable extensions such as .phtml, .phar, .php3, .php4, .php5, .php7, and .pht. Files are stored in the publicly accessible media/custom_options/quote/ directory, which lacks server-side execution restrictions for some configurations, enabling Remote Code Execution if this directory is not explicitly denied script execution. CVE-2026-25524 with a CVSS score of 8.1 – It is an PHP functions such as getimagesize(), file_exists(), and is_readable() can trigger deserialization when processing phar:// stream wrapper paths. OpenMage LTS uses these functions with potentially controllable file paths during image validation and media handling. An attacker who can upload a malicious phar file and trigger one of these functions with a phar:// path can achieve arbitrary code execution.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update OpenMage/magento-lts to version 20.17.0 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-3j5q-7q7h-2hhv
https://github.com/advisories/GHSA-fg79-cr9c-7369