{"url":"http://public2.vulnerablecode.io/api/packages/382367?format=json","purl":"pkg:composer/openmage/magento-lts@19.4.13","type":"composer","namespace":"openmage","name":"magento-lts","version":"19.4.13","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"20.0.9","latest_non_vulnerable_version":"21.0.0-beta1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70423?format=json","vulnerability_id":"VCID-3vh1-gwuy-dkdk","summary":"Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, the XML-RPC / SOAP API session ID is generated using an outdated, time-based construction rather than a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG). All inputs to the MD5 hash are time-derived and non-secure. Because the resulting digest relies entirely on the timestamp and the PHP internal LCG state, the effective entropy is severely constrained. This violates the OWASP ASVS v4 requirement of ≥ 64 bits of entropy (V3.2.2) and NIST SP 800-63B standards. By narrowing the LCG window (via server state leaks or general predictability) and leveraging the lack of API rate-limiting, an attacker can generate a localized pool of candidate MD5 hashes and execute a high-speed online brute-force attack to hijack active API sessions. This vulnerability is fixed in 20.18.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42155","reference_id":"","reference_type":"","scores":[{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17664","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42155"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42155","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42155"},{"reference_url":"https://github.com/advisories/GHSA-2cwr-gcf9-pvxr","reference_id":"GHSA-2cwr-gcf9-pvxr","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2cwr-gcf9-pvxr"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-2cwr-gcf9-pvxr","reference_id":"GHSA-2cwr-gcf9-pvxr","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-15T17:36:24Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-2cwr-gcf9-pvxr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375478?format=json","purl":"pkg:composer/openmage/magento-lts@20.18.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.18.0"}],"aliases":["CVE-2026-42155","GHSA-2cwr-gcf9-pvxr"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3vh1-gwuy-dkdk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/157585?format=json","vulnerability_id":"VCID-4h53-y83m-z7ec","summary":"OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, Magento admin users with access to the customer media could execute code on the server. Versions 19.4.22 and 20.0.19 contain a patch for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41143","reference_id":"","reference_type":"","scores":[{"value":"0.01224","scoring_system":"epss","scoring_elements":"0.79527","published_at":"2026-06-11T12:55:00Z"},{"value":"0.01224","scoring_system":"epss","scoring_elements":"0.79593","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41143"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41143","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41143"},{"reference_url":"https://github.com/OpenMage/magento-lts/commit/45330ff50439984e806992fa22c3f96c4d660f91","reference_id":"45330ff50439984e806992fa22c3f96c4d660f91","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:21Z/"}],"url":"https://github.com/OpenMage/magento-lts/commit/45330ff50439984e806992fa22c3f96c4d660f91"},{"reference_url":"https://github.com/advisories/GHSA-5vpv-xmcj-9q85","reference_id":"GHSA-5vpv-xmcj-9q85","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5vpv-xmcj-9q85"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5vpv-xmcj-9q85","reference_id":"GHSA-5vpv-xmcj-9q85","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:21Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5vpv-xmcj-9q85"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22","reference_id":"v19.4.22","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:21Z/"}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19","reference_id":"v20.0.19","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:21Z/"}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/379915?format=json","purl":"pkg:composer/openmage/magento-lts@19.4.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-ch43-sk96-1qht"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-k8s5-j857-rqa5"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@19.4.22"},{"url":"http://public2.vulnerablecode.io/api/packages/379916?format=json","purl":"pkg:composer/openmage/magento-lts@20.0.19","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-ch43-sk96-1qht"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-k8s5-j857-rqa5"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.19"}],"aliases":["CVE-2021-41143","GHSA-5vpv-xmcj-9q85","GMS-2023-155"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4h53-y83m-z7ec"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66056?format=json","vulnerability_id":"VCID-597x-5gb5-h7d7","summary":"Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, PHP functions such as `getimagesize()`, `file_exists()`, and `is_readable()` can trigger deserialization when processing `phar://` stream wrapper paths. OpenMage LTS uses these functions with potentially controllable file paths during image validation and media handling. An attacker who can upload a malicious phar file (disguised as an image) and trigger one of these functions with a `phar://` path can achieve arbitrary code execution. Version 20.17.0 patches the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25524","reference_id":"","reference_type":"","scores":[{"value":"0.00389","scoring_system":"epss","scoring_elements":"0.60411","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25524"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25524","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25524"},{"reference_url":"https://github.com/advisories/GHSA-fg79-cr9c-7369","reference_id":"GHSA-fg79-cr9c-7369","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fg79-cr9c-7369"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-fg79-cr9c-7369","reference_id":"GHSA-fg79-cr9c-7369","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-20T16:44:41Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-fg79-cr9c-7369"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0","reference_id":"v20.17.0","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-20T16:44:41Z/"}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373882?format=json","purl":"pkg:composer/openmage/magento-lts@20.17.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-td37-pfe4-wfbt"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.17.0"}],"aliases":["CVE-2026-25524","GHSA-fg79-cr9c-7369"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-597x-5gb5-h7d7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/156482?format=json","vulnerability_id":"VCID-782v-6fkq-pub1","summary":"Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is clicked and user submits new password. This issue is patched in versions 19.4.22 and 20.0.19. There are no workarounds.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21395","reference_id":"","reference_type":"","scores":[{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25201","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25399","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21395"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21395","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21395"},{"reference_url":"https://hackerone.com/reports/1086752","reference_id":"1086752","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:23Z/"}],"url":"https://hackerone.com/reports/1086752"},{"reference_url":"https://github.com/advisories/GHSA-r3c9-9j5q-pwv4","reference_id":"GHSA-r3c9-9j5q-pwv4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r3c9-9j5q-pwv4"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-r3c9-9j5q-pwv4","reference_id":"GHSA-r3c9-9j5q-pwv4","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:23Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-r3c9-9j5q-pwv4"},{"reference_url":"https://packagist.org/packages/openmage/magento-lts","reference_id":"magento-lts","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:23Z/"}],"url":"https://packagist.org/packages/openmage/magento-lts"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/379915?format=json","purl":"pkg:composer/openmage/magento-lts@19.4.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-ch43-sk96-1qht"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-k8s5-j857-rqa5"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@19.4.22"},{"url":"http://public2.vulnerablecode.io/api/packages/379916?format=json","purl":"pkg:composer/openmage/magento-lts@20.0.19","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-ch43-sk96-1qht"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-k8s5-j857-rqa5"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.19"}],"aliases":["CVE-2021-21395","GHSA-r3c9-9j5q-pwv4","GMS-2023-158"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-782v-6fkq-pub1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/157611?format=json","vulnerability_id":"VCID-8v75-vju1-1ffa","summary":"OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, an administrator with the permissions to upload files via DataFlow and to create products was able to execute arbitrary code via the convert profile. Versions 19.4.22 and 20.0.19 contain a patch for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41231","reference_id":"","reference_type":"","scores":[{"value":"0.00992","scoring_system":"epss","scoring_elements":"0.77327","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00992","scoring_system":"epss","scoring_elements":"0.77397","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41231"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41231","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41231"},{"reference_url":"https://github.com/OpenMage/magento-lts/commit/d16fc6c5a1e66c6f0d9f82020f11702a7ddd78e4","reference_id":"d16fc6c5a1e66c6f0d9f82020f11702a7ddd78e4","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:15Z/"}],"url":"https://github.com/OpenMage/magento-lts/commit/d16fc6c5a1e66c6f0d9f82020f11702a7ddd78e4"},{"reference_url":"https://github.com/advisories/GHSA-h632-p764-pjqm","reference_id":"GHSA-h632-p764-pjqm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h632-p764-pjqm"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-h632-p764-pjqm","reference_id":"GHSA-h632-p764-pjqm","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:15Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-h632-p764-pjqm"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22","reference_id":"v19.4.22","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:15Z/"}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19","reference_id":"v20.0.19","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:15Z/"}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/379915?format=json","purl":"pkg:composer/openmage/magento-lts@19.4.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-ch43-sk96-1qht"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-k8s5-j857-rqa5"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@19.4.22"},{"url":"http://public2.vulnerablecode.io/api/packages/379916?format=json","purl":"pkg:composer/openmage/magento-lts@20.0.19","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-ch43-sk96-1qht"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-k8s5-j857-rqa5"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.19"}],"aliases":["CVE-2021-41231","GHSA-h632-p764-pjqm","GMS-2023-157"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8v75-vju1-1ffa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360950?format=json","vulnerability_id":"VCID-ch43-sk96-1qht","summary":"Magento LTS vulnerable to Stored XSS via TinyMCE WYSIWYG Editor\nFrom HackerOne report [#1948040](https://hackerone.com/reports/1948040) by Halit AKAYDIN (hltakydn)\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nThe TinyMCE WYSIWYG editor fails to filter scripts when rendering the HTML in specially crafted HTML tags.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nThis vulnerability was fixed in version 20.2.0 by upgrading TinyMCE to a recent version in https://github.com/OpenMage/magento-lts/pull/3220\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nThe WYSIWYG editor features could be disabled in the configuration. Possibly some WAF appliances would filter this attack.\n\n### References\n_Are there any links users can visit to find out more?_\n\nThe attack is simply an exploit of the \"onmouseover\" attribute of an `img` element as described on [OWASP XSS Filter Evasion](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html)","references":[{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://github.com/OpenMage/magento-lts/pull/3220","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/pull/3220"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.2.0","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.2.0"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9j5w-2cqc-cwj9","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9j5w-2cqc-cwj9"},{"reference_url":"https://hackerone.com/reports/1948040","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/1948040"},{"reference_url":"https://github.com/advisories/GHSA-9j5w-2cqc-cwj9","reference_id":"GHSA-9j5w-2cqc-cwj9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9j5w-2cqc-cwj9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/380321?format=json","purl":"pkg:composer/openmage/magento-lts@20.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.2.0"}],"aliases":["GHSA-9j5w-2cqc-cwj9","GMS-2023-5656"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ch43-sk96-1qht"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/117003?format=json","vulnerability_id":"VCID-emd7-19m2-dqa4","summary":"Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Versions prior to 20.12.3 and 20.13.0 contain a vulnerability that allows script execution in the admin panel which could lead to cross-site scripting against authenticated admin users. The attack requires an admin user with configuration access, so in practicality it is not very likely to be useful given that a user with this level of access is probably already a full admin. Versions 20.12.3 and 20.13.0 contain a patch for the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27400","reference_id":"","reference_type":"","scores":[{"value":"0.00198","scoring_system":"epss","scoring_elements":"0.41827","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27400"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27400","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27400"},{"reference_url":"https://github.com/OpenMage/magento-lts/commit/d307e5bf75729a2347dde0952fe9fd9fcd9c6aea","reference_id":"d307e5bf75729a2347dde0952fe9fd9fcd9c6aea","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-28T15:41:48Z/"}],"url":"https://github.com/OpenMage/magento-lts/commit/d307e5bf75729a2347dde0952fe9fd9fcd9c6aea"},{"reference_url":"https://github.com/advisories/GHSA-5pxh-89cx-4668","reference_id":"GHSA-5pxh-89cx-4668","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5pxh-89cx-4668"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5pxh-89cx-4668","reference_id":"GHSA-5pxh-89cx-4668","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-28T15:41:48Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5pxh-89cx-4668"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.12.3","reference_id":"v20.12.3","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-28T15:41:48Z/"}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.12.3"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.13.0","reference_id":"v20.13.0","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-28T15:41:48Z/"}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.13.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/377860?format=json","purl":"pkg:composer/openmage/magento-lts@20.12.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.12.3"}],"aliases":["CVE-2025-27400","GHSA-5pxh-89cx-4668"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-emd7-19m2-dqa4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57149?format=json","vulnerability_id":"VCID-g6wr-gv5x-bkbz","summary":"Magento-lts is a long-term support alternative to Magento Community Edition (CE). This XSS vulnerability affects the design/header/welcome, design/header/logo_src, design/header/logo_src_small, and design/header/logo_alt system configs.They are intended to enable admins to set a text in the two cases, and to define an image url for the other two cases.\nBut because of previously missing escaping allowed to input arbitrary html and as a consequence also arbitrary JavaScript. The problem is patched with Version 20.10.1 or higher.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41676","reference_id":"","reference_type":"","scores":[{"value":"0.00669","scoring_system":"epss","scoring_elements":"0.71781","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41676"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://github.com/OpenMage/magento-lts/commit/484cf8afc550e98bbf2c03fbb29a8450a32e7948","reference_id":"484cf8afc550e98bbf2c03fbb29a8450a32e7948","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-29T15:41:02Z/"}],"url":"https://github.com/OpenMage/magento-lts/commit/484cf8afc550e98bbf2c03fbb29a8450a32e7948"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41676","reference_id":"CVE-2024-41676","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41676"},{"reference_url":"https://github.com/advisories/GHSA-5vrp-638w-p8m2","reference_id":"GHSA-5vrp-638w-p8m2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5vrp-638w-p8m2"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5vrp-638w-p8m2","reference_id":"GHSA-5vrp-638w-p8m2","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-29T15:41:02Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5vrp-638w-p8m2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32817?format=json","purl":"pkg:composer/openmage/magento-lts@20.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.10.1"}],"aliases":["CVE-2024-41676","GHSA-5vrp-638w-p8m2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g6wr-gv5x-bkbz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/340044?format=json","vulnerability_id":"VCID-gqbn-muac-hffj","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32759","reference_id":"","reference_type":"","scores":[{"value":"0.0055","scoring_system":"epss","scoring_elements":"0.6842","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0055","scoring_system":"epss","scoring_elements":"0.68508","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32759"},{"reference_url":"https://github.com/OpenMage/magento-lts/commit/34709ac642d554aa1824892059186dd329db744b","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/commit/34709ac642d554aa1824892059186dd329db744b"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v19.4.15","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v19.4.15"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.0.13","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.0.13"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-xm9f-vxmx-4m58","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-xm9f-vxmx-4m58"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32759","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32759"},{"reference_url":"https://github.com/advisories/GHSA-xm9f-vxmx-4m58","reference_id":"GHSA-xm9f-vxmx-4m58","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xm9f-vxmx-4m58"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/382888?format=json","purl":"pkg:composer/openmage/magento-lts@19.4.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-4h53-y83m-z7ec"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-782v-6fkq-pub1"},{"vulnerability":"VCID-8v75-vju1-1ffa"},{"vulnerability":"VCID-ch43-sk96-1qht"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-k8s5-j857-rqa5"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-tugb-a2dv-sqdv"},{"vulnerability":"VCID-tyx8-zc5z-s7av"},{"vulnerability":"VCID-w5z3-2wu1-kba6"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@19.4.15"},{"url":"http://public2.vulnerablecode.io/api/packages/382889?format=json","purl":"pkg:composer/openmage/magento-lts@20.0.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-4h53-y83m-z7ec"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-782v-6fkq-pub1"},{"vulnerability":"VCID-8v75-vju1-1ffa"},{"vulnerability":"VCID-ch43-sk96-1qht"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-k8s5-j857-rqa5"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-tugb-a2dv-sqdv"},{"vulnerability":"VCID-tyx8-zc5z-s7av"},{"vulnerability":"VCID-w5z3-2wu1-kba6"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.13"}],"aliases":["CVE-2021-32759","GHSA-xm9f-vxmx-4m58"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gqbn-muac-hffj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/83953?format=json","vulnerability_id":"VCID-jspe-hb38-x7bs","summary":"Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the shared wishlist add-to-cart endpoint authorizes access with a public `sharing_code`, but loads the acted-on wishlist item by a separate global `wishlist_item_id` and never verifies that the item belongs to the shared wishlist referenced by that code. This lets an attacker use a valid shared wishlist code for wishlist A and a wishlist item ID belonging to victim wishlist B to import victim item B into the attacker's cart through the shared wishlist flow for wishlist A. Because the victim item's stored `buyRequest` is reused during cart import, the victim's private custom-option data is copied into the attacker's quote. If the product uses a file custom option, this can be elevated to cross-user file disclosure because the imported file metadata is preserved and the download endpoint is not ownership-bound. Version 20.17.0 patches the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40098","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05737","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40098"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://github.com/OpenMage/magento-lts/pull/5446","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/pull/5446"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40098","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40098"},{"reference_url":"https://github.com/advisories/GHSA-665x-ppc4-685w","reference_id":"GHSA-665x-ppc4-685w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-665x-ppc4-685w"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-665x-ppc4-685w","reference_id":"GHSA-665x-ppc4-685w","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T18:10:34Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-665x-ppc4-685w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373882?format=json","purl":"pkg:composer/openmage/magento-lts@20.17.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-td37-pfe4-wfbt"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.17.0"}],"aliases":["CVE-2026-40098","GHSA-665x-ppc4-685w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jspe-hb38-x7bs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/147425?format=json","vulnerability_id":"VCID-k8s5-j857-rqa5","summary":"Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a \"guest-view\" cookie which contains the order's \"protect_code\". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. This issue has been patched in versions 19.5.1 and 20.1.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-41879","reference_id":"","reference_type":"","scores":[{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.31761","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-41879"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41879","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41879"},{"reference_url":"https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128","reference_id":"2a2a2fb504247e8966f8ffc2e17d614be5d43128","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-26T16:53:59Z/"}],"url":"https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128"},{"reference_url":"https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877","reference_id":"31e74ac5d670b10001f88f038046b62367f15877","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-26T16:53:59Z/"}],"url":"https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877"},{"reference_url":"https://github.com/advisories/GHSA-9358-cpvx-c2qp","reference_id":"GHSA-9358-cpvx-c2qp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9358-cpvx-c2qp"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp","reference_id":"GHSA-9358-cpvx-c2qp","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-26T16:53:59Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1","reference_id":"v19.5.1","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-26T16:53:59Z/"}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1","reference_id":"v20.1.1","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-26T16:53:59Z/"}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/379633?format=json","purl":"pkg:composer/openmage/magento-lts@19.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-ch43-sk96-1qht"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@19.5.1"},{"url":"http://public2.vulnerablecode.io/api/packages/379634?format=json","purl":"pkg:composer/openmage/magento-lts@20.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-ch43-sk96-1qht"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.1.1"}],"aliases":["CVE-2023-41879","GHSA-9358-cpvx-c2qp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k8s5-j857-rqa5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65618?format=json","vulnerability_id":"VCID-p5gt-99t2-gkeu","summary":"Magento-lts is a long-term support alternative to Magento Community Edition (CE). Prior to version 20.16.1, the admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations. This issue has been patched in version 20.16.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25523","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.014","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25523"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://hackerone.com/bugs?subject=openmage&report_id=3416312","reference_id":"bugs?subject=openmage&report_id=3416312","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:34:33Z/"}],"url":"https://hackerone.com/bugs?subject=openmage&report_id=3416312"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25523","reference_id":"CVE-2026-25523","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25523"},{"reference_url":"https://github.com/advisories/GHSA-jg68-vhv3-9r8f","reference_id":"GHSA-jg68-vhv3-9r8f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jg68-vhv3-9r8f"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-jg68-vhv3-9r8f","reference_id":"GHSA-jg68-vhv3-9r8f","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:34:33Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-jg68-vhv3-9r8f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38575?format=json","purl":"pkg:composer/openmage/magento-lts@20.16.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.16.1"},{"url":"http://public2.vulnerablecode.io/api/packages/937069?format=json","purl":"pkg:composer/openmage/magento-lts@21.0.0-beta1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@21.0.0-beta1"}],"aliases":["CVE-2026-25523","GHSA-jg68-vhv3-9r8f"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p5gt-99t2-gkeu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70258?format=json","vulnerability_id":"VCID-pg7w-d4yk-wfbp","summary":"Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, there is a reflected XSS vulnerability under admin panel -> System -> Import/Export -> Dataflow - Profiles. This vulnerability is fixed in 20.18.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42458","reference_id":"","reference_type":"","scores":[{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.19567","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42458"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42458","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42458"},{"reference_url":"https://github.com/advisories/GHSA-x8jv-q8j2-487c","reference_id":"GHSA-x8jv-q8j2-487c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x8jv-q8j2-487c"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-x8jv-q8j2-487c","reference_id":"GHSA-x8jv-q8j2-487c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-15T17:58:08Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-x8jv-q8j2-487c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375478?format=json","purl":"pkg:composer/openmage/magento-lts@20.18.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.18.0"}],"aliases":["CVE-2026-42458","GHSA-x8jv-q8j2-487c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pg7w-d4yk-wfbp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65650?format=json","vulnerability_id":"VCID-rmc2-vu4m-ckg2","summary":"Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the Dataflow module in OpenMage LTS uses a weak blacklist filter (`str_replace('../', '', $input)`) to prevent path traversal attacks. This filter can be bypassed using patterns like `..././` or `....//`, which after the replacement still result in `../`. An authenticated administrator can exploit this to read arbitrary files from the server filesystem. Version 20.17.0 patches the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25525","reference_id":"","reference_type":"","scores":[{"value":"0.00068","scoring_system":"epss","scoring_elements":"0.21065","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25525"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://github.com/OpenMage/magento-lts/pull/5445","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/pull/5445"},{"reference_url":"https://hackerone.com/reports/3482926","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/3482926"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25525","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25525"},{"reference_url":"https://github.com/advisories/GHSA-6vqf-6fhm-7rc6","reference_id":"GHSA-6vqf-6fhm-7rc6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6vqf-6fhm-7rc6"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-6vqf-6fhm-7rc6","reference_id":"GHSA-6vqf-6fhm-7rc6","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:27:13Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-6vqf-6fhm-7rc6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373882?format=json","purl":"pkg:composer/openmage/magento-lts@20.17.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-td37-pfe4-wfbt"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.17.0"}],"aliases":["CVE-2026-25525","GHSA-6vqf-6fhm-7rc6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rmc2-vu4m-ckg2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90960?format=json","vulnerability_id":"VCID-s6nq-g2xk-gucc","summary":"Magento-lts is a long-term support alternative to Magento Community Edition (CE). Versions 20.15.0 and below are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin with direct database access or the admin notification feed source to inject malicious scripts into vulnerable fields. Unescaped translation strings and URLs are printed into contexts inside app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php. A malicious translation or polluted data can inject script. This issue is fixed in version 20.16.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64174","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10411","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64174"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://github.com/OpenMage/magento-lts/commit/9d604f5489851c54a96fca31b0e13c414b0fb20a","reference_id":"9d604f5489851c54a96fca31b0e13c414b0fb20a","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-06T21:19:51Z/"}],"url":"https://github.com/OpenMage/magento-lts/commit/9d604f5489851c54a96fca31b0e13c414b0fb20a"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64174","reference_id":"CVE-2025-64174","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64174"},{"reference_url":"https://github.com/advisories/GHSA-qv78-c8hc-438r","reference_id":"GHSA-qv78-c8hc-438r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qv78-c8hc-438r"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-qv78-c8hc-438r","reference_id":"GHSA-qv78-c8hc-438r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-06T21:19:51Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-qv78-c8hc-438r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34987?format=json","purl":"pkg:composer/openmage/magento-lts@20.16.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.16.0"}],"aliases":["CVE-2025-64174","GHSA-qv78-c8hc-438r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s6nq-g2xk-gucc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359264?format=json","vulnerability_id":"VCID-td37-pfe4-wfbt","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42207","reference_id":"","reference_type":"","scores":[{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08775","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42207"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-qpgq-5g92-j5q8","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-qpgq-5g92-j5q8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42207","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42207"},{"reference_url":"https://github.com/advisories/GHSA-qpgq-5g92-j5q8","reference_id":"GHSA-qpgq-5g92-j5q8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qpgq-5g92-j5q8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375478?format=json","purl":"pkg:composer/openmage/magento-lts@20.18.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.18.0"}],"aliases":["CVE-2026-42207","GHSA-qpgq-5g92-j5q8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-td37-pfe4-wfbt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/211717?format=json","vulnerability_id":"VCID-trrj-es1k-5fgq","summary":"Magento LTS vulnerable to stored XSS in admin file form","references":[{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-20717","reference_id":"CVE-2024-20717","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-20717"},{"reference_url":"https://github.com/advisories/GHSA-gp6m-fq6h-cjcx","reference_id":"GHSA-gp6m-fq6h-cjcx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gp6m-fq6h-cjcx"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-gp6m-fq6h-cjcx","reference_id":"GHSA-gp6m-fq6h-cjcx","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-gp6m-fq6h-cjcx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/29403?format=json","purl":"pkg:composer/openmage/magento-lts@19.5.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@19.5.3"},{"url":"http://public2.vulnerablecode.io/api/packages/29402?format=json","purl":"pkg:composer/openmage/magento-lts@20.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.5.0"}],"aliases":["GHSA-gp6m-fq6h-cjcx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-trrj-es1k-5fgq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/130272?format=json","vulnerability_id":"VCID-tugb-a2dv-sqdv","summary":"OpenMage LTS is an e-commerce platform. Versions prior to 19.4.22 and 20.0.19 contain an infinite loop in malicious code filter in certain conditions. Versions 19.4.22 and 20.0.19 have a fix for this issue. There are no known workarounds.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-23617","reference_id":"","reference_type":"","scores":[{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.51053","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-23617"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-23617","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-23617"},{"reference_url":"https://github.com/OpenMage/magento-lts/commit/494027785bdb7db53e60c11ef03c144b61cd3172","reference_id":"494027785bdb7db53e60c11ef03c144b61cd3172","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:57Z/"}],"url":"https://github.com/OpenMage/magento-lts/commit/494027785bdb7db53e60c11ef03c144b61cd3172"},{"reference_url":"https://github.com/advisories/GHSA-3p73-mm7v-4f6m","reference_id":"GHSA-3p73-mm7v-4f6m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3p73-mm7v-4f6m"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-3p73-mm7v-4f6m","reference_id":"GHSA-3p73-mm7v-4f6m","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:57Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-3p73-mm7v-4f6m"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22","reference_id":"v19.4.22","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:57Z/"}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19","reference_id":"v20.0.19","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:57Z/"}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/379915?format=json","purl":"pkg:composer/openmage/magento-lts@19.4.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-ch43-sk96-1qht"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-k8s5-j857-rqa5"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@19.4.22"},{"url":"http://public2.vulnerablecode.io/api/packages/379916?format=json","purl":"pkg:composer/openmage/magento-lts@20.0.19","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-ch43-sk96-1qht"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-k8s5-j857-rqa5"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.19"}],"aliases":["CVE-2023-23617","GHSA-3p73-mm7v-4f6m","GMS-2023-153"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tugb-a2dv-sqdv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/157565?format=json","vulnerability_id":"VCID-tyx8-zc5z-s7av","summary":"OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, a layout block was able to bypass the block blacklist to execute remote code. Versions 19.4.22 and 20.0.19 contain a patch for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41144","reference_id":"","reference_type":"","scores":[{"value":"0.00598","scoring_system":"epss","scoring_elements":"0.69892","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00598","scoring_system":"epss","scoring_elements":"0.69983","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41144"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41144","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41144"},{"reference_url":"https://github.com/OpenMage/magento-lts/commit/06c45940ba3256cdfc9feea12a3c0ca56d23acf8","reference_id":"06c45940ba3256cdfc9feea12a3c0ca56d23acf8","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:18Z/"}],"url":"https://github.com/OpenMage/magento-lts/commit/06c45940ba3256cdfc9feea12a3c0ca56d23acf8"},{"reference_url":"https://github.com/advisories/GHSA-5j2g-3ph4-rgvm","reference_id":"GHSA-5j2g-3ph4-rgvm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5j2g-3ph4-rgvm"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5j2g-3ph4-rgvm","reference_id":"GHSA-5j2g-3ph4-rgvm","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:18Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5j2g-3ph4-rgvm"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22","reference_id":"v19.4.22","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:18Z/"}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19","reference_id":"v20.0.19","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:18Z/"}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/379915?format=json","purl":"pkg:composer/openmage/magento-lts@19.4.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-ch43-sk96-1qht"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-k8s5-j857-rqa5"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@19.4.22"},{"url":"http://public2.vulnerablecode.io/api/packages/379916?format=json","purl":"pkg:composer/openmage/magento-lts@20.0.19","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-ch43-sk96-1qht"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-k8s5-j857-rqa5"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.19"}],"aliases":["CVE-2021-41144","GHSA-5j2g-3ph4-rgvm","GMS-2023-154"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tyx8-zc5z-s7av"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/156113?format=json","vulnerability_id":"VCID-w5z3-2wu1-kba6","summary":"OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, Custom Layout enabled admin users to execute arbitrary commands via block methods. Versions 19.4.22 and 20.0.19 contain patches for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39217","reference_id":"","reference_type":"","scores":[{"value":"0.00724","scoring_system":"epss","scoring_elements":"0.7302","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00724","scoring_system":"epss","scoring_elements":"0.73098","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39217"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39217","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39217"},{"reference_url":"https://github.com/OpenMage/magento-lts/commit/289bd4b4f53622138e3e5c2d2cef7502d780086f","reference_id":"289bd4b4f53622138e3e5c2d2cef7502d780086f","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:24Z/"}],"url":"https://github.com/OpenMage/magento-lts/commit/289bd4b4f53622138e3e5c2d2cef7502d780086f"},{"reference_url":"https://github.com/advisories/GHSA-c9q3-r4rv-mjm7","reference_id":"GHSA-c9q3-r4rv-mjm7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c9q3-r4rv-mjm7"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-c9q3-r4rv-mjm7","reference_id":"GHSA-c9q3-r4rv-mjm7","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:24Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-c9q3-r4rv-mjm7"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22","reference_id":"v19.4.22","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:24Z/"}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19","reference_id":"v20.0.19","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:24Z/"}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/379915?format=json","purl":"pkg:composer/openmage/magento-lts@19.4.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-ch43-sk96-1qht"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-k8s5-j857-rqa5"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@19.4.22"},{"url":"http://public2.vulnerablecode.io/api/packages/379916?format=json","purl":"pkg:composer/openmage/magento-lts@20.0.19","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-ch43-sk96-1qht"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-k8s5-j857-rqa5"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.19"}],"aliases":["CVE-2021-39217","GHSA-c9q3-r4rv-mjm7","GMS-2023-156"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w5z3-2wu1-kba6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/340043?format=json","vulnerability_id":"VCID-xjvk-cbqj-cyda","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32758","reference_id":"","reference_type":"","scores":[{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58586","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58698","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32758"},{"reference_url":"https://github.com/OpenMage/magento-lts/commit/b99307d00b59c4a226a1e3e4083f02cf2fc8fce7","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/commit/b99307d00b59c4a226a1e3e4083f02cf2fc8fce7"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v19.4.15","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v19.4.15"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.0.13","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.0.13"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-26rr-v2j2-25fh","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-26rr-v2j2-25fh"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32758","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32758"},{"reference_url":"https://github.com/advisories/GHSA-26rr-v2j2-25fh","reference_id":"GHSA-26rr-v2j2-25fh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-26rr-v2j2-25fh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/382888?format=json","purl":"pkg:composer/openmage/magento-lts@19.4.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-4h53-y83m-z7ec"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-782v-6fkq-pub1"},{"vulnerability":"VCID-8v75-vju1-1ffa"},{"vulnerability":"VCID-ch43-sk96-1qht"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-k8s5-j857-rqa5"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-tugb-a2dv-sqdv"},{"vulnerability":"VCID-tyx8-zc5z-s7av"},{"vulnerability":"VCID-w5z3-2wu1-kba6"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@19.4.15"},{"url":"http://public2.vulnerablecode.io/api/packages/391567?format=json","purl":"pkg:composer/openmage/magento-lts@20.0.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-4h53-y83m-z7ec"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-782v-6fkq-pub1"},{"vulnerability":"VCID-8v75-vju1-1ffa"},{"vulnerability":"VCID-ch43-sk96-1qht"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-gqbn-muac-hffj"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-k8s5-j857-rqa5"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-tugb-a2dv-sqdv"},{"vulnerability":"VCID-tyx8-zc5z-s7av"},{"vulnerability":"VCID-w5z3-2wu1-kba6"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.11"},{"url":"http://public2.vulnerablecode.io/api/packages/382889?format=json","purl":"pkg:composer/openmage/magento-lts@20.0.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-4h53-y83m-z7ec"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-782v-6fkq-pub1"},{"vulnerability":"VCID-8v75-vju1-1ffa"},{"vulnerability":"VCID-ch43-sk96-1qht"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-k8s5-j857-rqa5"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-tugb-a2dv-sqdv"},{"vulnerability":"VCID-tyx8-zc5z-s7av"},{"vulnerability":"VCID-w5z3-2wu1-kba6"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.13"}],"aliases":["CVE-2021-32758","GHSA-26rr-v2j2-25fh"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xjvk-cbqj-cyda"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/83886?format=json","vulnerability_id":"VCID-xz4e-36yr-wqbx","summary":"Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the product custom option file upload in OpenMage LTS uses an incomplete blocklist (`forbidden_extensions = php,exe`) to prevent dangerous file uploads. This blocklist can be trivially bypassed by using alternative PHP-executable extensions such as `.phtml`, `.phar`, `.php3`, `.php4`, `.php5`, `.php7`, and `.pht`. Files are stored in the publicly accessible `media/custom_options/quote/` directory, which lacks server-side execution restrictions for some configurations, enabling Remote Code Execution if this directory is not explicitly denied script execution. Version 20.17.0 patches the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40488","reference_id":"","reference_type":"","scores":[{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25453","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40488"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40488","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40488"},{"reference_url":"https://github.com/advisories/GHSA-3j5q-7q7h-2hhv","reference_id":"GHSA-3j5q-7q7h-2hhv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3j5q-7q7h-2hhv"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-3j5q-7q7h-2hhv","reference_id":"GHSA-3j5q-7q7h-2hhv","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-20T16:44:14Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-3j5q-7q7h-2hhv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373882?format=json","purl":"pkg:composer/openmage/magento-lts@20.17.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-td37-pfe4-wfbt"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.17.0"}],"aliases":["CVE-2026-40488","GHSA-3j5q-7q7h-2hhv"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xz4e-36yr-wqbx"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/334306?format=json","vulnerability_id":"VCID-aydd-12xg-1ugb","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21426","reference_id":"","reference_type":"","scores":[{"value":"0.00405","scoring_system":"epss","scoring_elements":"0.61456","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00405","scoring_system":"epss","scoring_elements":"0.6156","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21426"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-m496-x567-f98c","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-m496-x567-f98c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21426","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21426"},{"reference_url":"https://github.com/advisories/GHSA-m496-x567-f98c","reference_id":"GHSA-m496-x567-f98c","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m496-x567-f98c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/382367?format=json","purl":"pkg:composer/openmage/magento-lts@19.4.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-4h53-y83m-z7ec"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-782v-6fkq-pub1"},{"vulnerability":"VCID-8v75-vju1-1ffa"},{"vulnerability":"VCID-ch43-sk96-1qht"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-gqbn-muac-hffj"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-k8s5-j857-rqa5"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-tugb-a2dv-sqdv"},{"vulnerability":"VCID-tyx8-zc5z-s7av"},{"vulnerability":"VCID-w5z3-2wu1-kba6"},{"vulnerability":"VCID-xjvk-cbqj-cyda"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@19.4.13"},{"url":"http://public2.vulnerablecode.io/api/packages/382368?format=json","purl":"pkg:composer/openmage/magento-lts@20.0.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.9"},{"url":"http://public2.vulnerablecode.io/api/packages/498257?format=json","purl":"pkg:composer/openmage/magento-lts@20.0.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-4h53-y83m-z7ec"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-782v-6fkq-pub1"},{"vulnerability":"VCID-8v75-vju1-1ffa"},{"vulnerability":"VCID-ch43-sk96-1qht"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-gqbn-muac-hffj"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-k8s5-j857-rqa5"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-tugb-a2dv-sqdv"},{"vulnerability":"VCID-tyx8-zc5z-s7av"},{"vulnerability":"VCID-w5z3-2wu1-kba6"},{"vulnerability":"VCID-xjvk-cbqj-cyda"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.10"}],"aliases":["CVE-2021-21426","GHSA-m496-x567-f98c"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-aydd-12xg-1ugb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/334307?format=json","vulnerability_id":"VCID-rpqu-nqvm-n3fv","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21427","reference_id":"","reference_type":"","scores":[{"value":"0.00636","scoring_system":"epss","scoring_elements":"0.70904","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00636","scoring_system":"epss","scoring_elements":"0.70995","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21427"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-fvrf-9428-527m","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-fvrf-9428-527m"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21427","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21427"},{"reference_url":"https://github.com/advisories/GHSA-fvrf-9428-527m","reference_id":"GHSA-fvrf-9428-527m","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fvrf-9428-527m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/382367?format=json","purl":"pkg:composer/openmage/magento-lts@19.4.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-4h53-y83m-z7ec"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-782v-6fkq-pub1"},{"vulnerability":"VCID-8v75-vju1-1ffa"},{"vulnerability":"VCID-ch43-sk96-1qht"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-gqbn-muac-hffj"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-k8s5-j857-rqa5"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-tugb-a2dv-sqdv"},{"vulnerability":"VCID-tyx8-zc5z-s7av"},{"vulnerability":"VCID-w5z3-2wu1-kba6"},{"vulnerability":"VCID-xjvk-cbqj-cyda"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@19.4.13"},{"url":"http://public2.vulnerablecode.io/api/packages/382368?format=json","purl":"pkg:composer/openmage/magento-lts@20.0.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.9"},{"url":"http://public2.vulnerablecode.io/api/packages/498257?format=json","purl":"pkg:composer/openmage/magento-lts@20.0.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3vh1-gwuy-dkdk"},{"vulnerability":"VCID-4h53-y83m-z7ec"},{"vulnerability":"VCID-597x-5gb5-h7d7"},{"vulnerability":"VCID-782v-6fkq-pub1"},{"vulnerability":"VCID-8v75-vju1-1ffa"},{"vulnerability":"VCID-ch43-sk96-1qht"},{"vulnerability":"VCID-emd7-19m2-dqa4"},{"vulnerability":"VCID-g6wr-gv5x-bkbz"},{"vulnerability":"VCID-gqbn-muac-hffj"},{"vulnerability":"VCID-jspe-hb38-x7bs"},{"vulnerability":"VCID-k8s5-j857-rqa5"},{"vulnerability":"VCID-p5gt-99t2-gkeu"},{"vulnerability":"VCID-pg7w-d4yk-wfbp"},{"vulnerability":"VCID-rmc2-vu4m-ckg2"},{"vulnerability":"VCID-s6nq-g2xk-gucc"},{"vulnerability":"VCID-td37-pfe4-wfbt"},{"vulnerability":"VCID-trrj-es1k-5fgq"},{"vulnerability":"VCID-tugb-a2dv-sqdv"},{"vulnerability":"VCID-tyx8-zc5z-s7av"},{"vulnerability":"VCID-w5z3-2wu1-kba6"},{"vulnerability":"VCID-xjvk-cbqj-cyda"},{"vulnerability":"VCID-xz4e-36yr-wqbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.0.10"}],"aliases":["CVE-2021-21427","GHSA-fvrf-9428-527m"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rpqu-nqvm-n3fv"}],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@19.4.13"}