{"url":"http://public2.vulnerablecode.io/api/packages/67984?format=json","purl":"pkg:composer/openmage/magento-lts@20.5.0","type":"composer","namespace":"openmage","name":"magento-lts","version":"20.5.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"20.18.0","latest_non_vulnerable_version":"20.18.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/332118?format=json","vulnerability_id":"VCID-6yhd-9af9-kqht","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40488","reference_id":"","reference_type":"","scores":[{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25442","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40488"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-3j5q-7q7h-2hhv","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-20T16:44:14Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-3j5q-7q7h-2hhv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40488","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40488"},{"reference_url":"https://github.com/advisories/GHSA-3j5q-7q7h-2hhv","reference_id":"GHSA-3j5q-7q7h-2hhv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3j5q-7q7h-2hhv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/188944?format=json","purl":"pkg:composer/openmage/magento-lts@20.17.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t5zu-h363-w7g6"},{"vulnerability":"VCID-tznv-bm7r-d3eq"},{"vulnerability":"VCID-u4nx-8npp-f3fv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.17.0"}],"aliases":["CVE-2026-40488","GHSA-3j5q-7q7h-2hhv"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6yhd-9af9-kqht"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/261654?format=json","vulnerability_id":"VCID-8c5k-ud7g-b3dg","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41676","reference_id":"","reference_type":"","scores":[{"value":"0.00669","scoring_system":"epss","scoring_elements":"0.71645","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41676"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://github.com/OpenMage/magento-lts/commit/484cf8afc550e98bbf2c03fbb29a8450a32e7948","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-29T15:41:02Z/"}],"url":"https://github.com/OpenMage/magento-lts/commit/484cf8afc550e98bbf2c03fbb29a8450a32e7948"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41676","reference_id":"CVE-2024-41676","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41676"},{"reference_url":"https://github.com/advisories/GHSA-5vrp-638w-p8m2","reference_id":"GHSA-5vrp-638w-p8m2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5vrp-638w-p8m2"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5vrp-638w-p8m2","reference_id":"GHSA-5vrp-638w-p8m2","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-29T15:41:02Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5vrp-638w-p8m2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82295?format=json","purl":"pkg:composer/openmage/magento-lts@20.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6yhd-9af9-kqht"},{"vulnerability":"VCID-bjeu-6mut-kye1"},{"vulnerability":"VCID-hda3-yjzv-63fs"},{"vulnerability":"VCID-pddp-ssfx-7yc6"},{"vulnerability":"VCID-ukd9-7sma-wqbx"},{"vulnerability":"VCID-uqfs-sy1h-uybb"},{"vulnerability":"VCID-wvuf-ntsm-8uef"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.10.1"}],"aliases":["CVE-2024-41676","GHSA-5vrp-638w-p8m2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8c5k-ud7g-b3dg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/20732?format=json","vulnerability_id":"VCID-bjeu-6mut-kye1","summary":"OpenMage vulnerable to XSS in Admin Notifications\nOpenMage versions v20.15.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin with direct database access or the admin notification feed source to inject malicious scripts into vulnerable fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64174","reference_id":"","reference_type":"","scores":[{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09658","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64174"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://github.com/OpenMage/magento-lts/commit/9d604f5489851c54a96fca31b0e13c414b0fb20a","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-06T21:19:51Z/"}],"url":"https://github.com/OpenMage/magento-lts/commit/9d604f5489851c54a96fca31b0e13c414b0fb20a"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64174","reference_id":"CVE-2025-64174","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64174"},{"reference_url":"https://github.com/advisories/GHSA-qv78-c8hc-438r","reference_id":"GHSA-qv78-c8hc-438r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qv78-c8hc-438r"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-qv78-c8hc-438r","reference_id":"GHSA-qv78-c8hc-438r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-06T21:19:51Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-qv78-c8hc-438r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/70112?format=json","purl":"pkg:composer/openmage/magento-lts@20.16.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6yhd-9af9-kqht"},{"vulnerability":"VCID-hda3-yjzv-63fs"},{"vulnerability":"VCID-ukd9-7sma-wqbx"},{"vulnerability":"VCID-uqfs-sy1h-uybb"},{"vulnerability":"VCID-wvuf-ntsm-8uef"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.16.0"}],"aliases":["CVE-2025-64174","GHSA-qv78-c8hc-438r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bjeu-6mut-kye1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/324016?format=json","vulnerability_id":"VCID-hda3-yjzv-63fs","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25524","reference_id":"","reference_type":"","scores":[{"value":"0.00286","scoring_system":"epss","scoring_elements":"0.5232","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25524"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-20T16:44:41Z/"}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-fg79-cr9c-7369","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-20T16:44:41Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-fg79-cr9c-7369"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25524","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25524"},{"reference_url":"https://github.com/advisories/GHSA-fg79-cr9c-7369","reference_id":"GHSA-fg79-cr9c-7369","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fg79-cr9c-7369"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/188944?format=json","purl":"pkg:composer/openmage/magento-lts@20.17.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t5zu-h363-w7g6"},{"vulnerability":"VCID-tznv-bm7r-d3eq"},{"vulnerability":"VCID-u4nx-8npp-f3fv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.17.0"}],"aliases":["CVE-2026-25524","GHSA-fg79-cr9c-7369"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hda3-yjzv-63fs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/290126?format=json","vulnerability_id":"VCID-pddp-ssfx-7yc6","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27400","reference_id":"","reference_type":"","scores":[{"value":"0.00198","scoring_system":"epss","scoring_elements":"0.4176","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27400"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://github.com/OpenMage/magento-lts/commit/d307e5bf75729a2347dde0952fe9fd9fcd9c6aea","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-28T15:41:48Z/"}],"url":"https://github.com/OpenMage/magento-lts/commit/d307e5bf75729a2347dde0952fe9fd9fcd9c6aea"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.12.3","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-28T15:41:48Z/"}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.12.3"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.13.0","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-28T15:41:48Z/"}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.13.0"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5pxh-89cx-4668","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-28T15:41:48Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5pxh-89cx-4668"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27400","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27400"},{"reference_url":"https://github.com/advisories/GHSA-5pxh-89cx-4668","reference_id":"GHSA-5pxh-89cx-4668","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5pxh-89cx-4668"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195111?format=json","purl":"pkg:composer/openmage/magento-lts@20.12.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6yhd-9af9-kqht"},{"vulnerability":"VCID-bjeu-6mut-kye1"},{"vulnerability":"VCID-hda3-yjzv-63fs"},{"vulnerability":"VCID-ukd9-7sma-wqbx"},{"vulnerability":"VCID-uqfs-sy1h-uybb"},{"vulnerability":"VCID-wvuf-ntsm-8uef"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.12.3"}],"aliases":["CVE-2025-27400","GHSA-5pxh-89cx-4668"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pddp-ssfx-7yc6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/331851?format=json","vulnerability_id":"VCID-ukd9-7sma-wqbx","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40098","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05866","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40098"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://github.com/OpenMage/magento-lts/pull/5446","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/pull/5446"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-665x-ppc4-685w","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T18:10:34Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-665x-ppc4-685w"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40098","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40098"},{"reference_url":"https://github.com/advisories/GHSA-665x-ppc4-685w","reference_id":"GHSA-665x-ppc4-685w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-665x-ppc4-685w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/188944?format=json","purl":"pkg:composer/openmage/magento-lts@20.17.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t5zu-h363-w7g6"},{"vulnerability":"VCID-tznv-bm7r-d3eq"},{"vulnerability":"VCID-u4nx-8npp-f3fv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.17.0"}],"aliases":["CVE-2026-40098","GHSA-665x-ppc4-685w"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ukd9-7sma-wqbx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22363?format=json","vulnerability_id":"VCID-uqfs-sy1h-uybb","summary":"Magento's X-Original-Url header can expose admin url\nThe admin url can be discovered without prior knowledge of its location by exploiting the X-Original-Url header on some configurations.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25523","reference_id":"","reference_type":"","scores":[{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.0117","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25523"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://hackerone.com/bugs?subject=openmage&report_id=3416312","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:34:33Z/"}],"url":"https://hackerone.com/bugs?subject=openmage&report_id=3416312"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25523","reference_id":"CVE-2026-25523","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25523"},{"reference_url":"https://github.com/advisories/GHSA-jg68-vhv3-9r8f","reference_id":"GHSA-jg68-vhv3-9r8f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jg68-vhv3-9r8f"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-jg68-vhv3-9r8f","reference_id":"GHSA-jg68-vhv3-9r8f","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:34:33Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-jg68-vhv3-9r8f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/907094?format=json","purl":"pkg:composer/openmage/magento-lts@21.0.0-beta1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@21.0.0-beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/72594?format=json","purl":"pkg:composer/openmage/magento-lts@20.16.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.16.1"}],"aliases":["CVE-2026-25523","GHSA-jg68-vhv3-9r8f"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uqfs-sy1h-uybb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/324017?format=json","vulnerability_id":"VCID-wvuf-ntsm-8uef","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25525","reference_id":"","reference_type":"","scores":[{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15899","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25525"},{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://github.com/OpenMage/magento-lts/pull/5445","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/pull/5445"},{"reference_url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-6vqf-6fhm-7rc6","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:27:13Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-6vqf-6fhm-7rc6"},{"reference_url":"https://hackerone.com/reports/3482926","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/3482926"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25525","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25525"},{"reference_url":"https://github.com/advisories/GHSA-6vqf-6fhm-7rc6","reference_id":"GHSA-6vqf-6fhm-7rc6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6vqf-6fhm-7rc6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/188944?format=json","purl":"pkg:composer/openmage/magento-lts@20.17.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t5zu-h363-w7g6"},{"vulnerability":"VCID-tznv-bm7r-d3eq"},{"vulnerability":"VCID-u4nx-8npp-f3fv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.17.0"}],"aliases":["CVE-2026-25525","GHSA-6vqf-6fhm-7rc6"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wvuf-ntsm-8uef"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19555?format=json","vulnerability_id":"VCID-c9gq-husm-87bb","summary":"Magento LTS vulnerable to stored XSS in admin file form\n### Summary\nOpenMage is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields.\n\n### Details\n`Mage_Adminhtml_Block_System_Config_Form_Field_File` does not escape filename value in certain situations.\nSame as: https://nvd.nist.gov/vuln/detail/CVE-2024-20717\n\n### PoC\n1. Create empty file with this filename: `<img src=x onerror=alert(1)>.crt`\n2. Go to _System_ > _Configuration_ > _Sales | Payment Methonds_.\n3. Click **Configure** on _PayPal Express Checkout_.\n4. Choose **API Certificate** from dropdown _API Authentication Methods_.\n5. Choose the XSS-file and click **Save Config**.\n6. Profit, alerts \"1\" -> XSS.\n7. Reload, alerts \"1\" -> Stored XSS.\n\n### Impact\nAffects admins that have access to any fileupload field in admin in core or custom implementations.\nMalicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.","references":[{"reference_url":"https://github.com/OpenMage/magento-lts","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-20717","reference_id":"CVE-2024-20717","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-20717"},{"reference_url":"https://github.com/advisories/GHSA-gp6m-fq6h-cjcx","reference_id":"GHSA-gp6m-fq6h-cjcx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gp6m-fq6h-cjcx"},{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-gp6m-fq6h-cjcx","reference_id":"GHSA-gp6m-fq6h-cjcx","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-gp6m-fq6h-cjcx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/67985?format=json","purl":"pkg:composer/openmage/magento-lts@19.5.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6yhd-9af9-kqht"},{"vulnerability":"VCID-8c5k-ud7g-b3dg"},{"vulnerability":"VCID-bjeu-6mut-kye1"},{"vulnerability":"VCID-hda3-yjzv-63fs"},{"vulnerability":"VCID-pddp-ssfx-7yc6"},{"vulnerability":"VCID-ukd9-7sma-wqbx"},{"vulnerability":"VCID-uqfs-sy1h-uybb"},{"vulnerability":"VCID-wvuf-ntsm-8uef"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@19.5.3"},{"url":"http://public2.vulnerablecode.io/api/packages/67984?format=json","purl":"pkg:composer/openmage/magento-lts@20.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6yhd-9af9-kqht"},{"vulnerability":"VCID-8c5k-ud7g-b3dg"},{"vulnerability":"VCID-bjeu-6mut-kye1"},{"vulnerability":"VCID-hda3-yjzv-63fs"},{"vulnerability":"VCID-pddp-ssfx-7yc6"},{"vulnerability":"VCID-ukd9-7sma-wqbx"},{"vulnerability":"VCID-uqfs-sy1h-uybb"},{"vulnerability":"VCID-wvuf-ntsm-8uef"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.5.0"}],"aliases":["GHSA-gp6m-fq6h-cjcx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c9gq-husm-87bb"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/openmage/magento-lts@20.5.0"}