CVE-2026-25525 MEDIUM

CVE-2026-25525: OpenMage LTS has Path Traversal Filter Bypass in Dataflow Module

Vendor Openmage
Product magento-lts
Weakness CWE-22 · Path traversal
Published April 20, 2026
Last update April 21, 2026

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the Dataflow module in OpenMage LTS uses a weak blacklist filter (`str_replace('../', '', $input)`) to prevent path traversal attacks. This filter can be bypassed using patterns like `..././` or `....//`, which after the replacement still result in `../`. An authenticated administrator can exploit this to read arbitrary files from the server filesystem. Version 20.17.0 patches the issue.

Key dates

02Disclosure timeline

April 20, 2026 CVE published
April 21, 2026 Record updated