{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/83953?format=json","vulnerability_id":"VCID-jspe-hb38-x7bs","summary":"Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the shared wishlist add-to-cart endpoint authorizes access with a public `sharing_code`, but loads the acted-on wishlist item by a separate global `wishlist_item_id` and never verifies that the item belongs to the shared wishlist referenced by that code. This lets an attacker use a valid shared wishlist code for wishlist A and a wishlist item ID belonging to victim wishlist B to import victim item B into the attacker's cart through the shared wishlist flow for wishlist A. Because the victim item's stored `buyRequest` is reused during cart import, the victim's private custom-option data is copied into the attacker's quote. If the product uses a file custom option, this can be elevated to cross-user file disclosure because the imported file metadata is preserved and the download endpoint is not ownership-bound. Version 20.17.0 patches the issue.","aliases":[{"alias":"CVE-2026-40098"}],"fixed_packages":[],"affected_packages":[],"references":[{"reference_url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-665x-ppc4-685w","reference_id":"GHSA-665x-ppc4-685w","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T18:10:34Z/"}],"url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-665x-ppc4-685w"}],"weaknesses":[{"cwe_id":862,"name":"Missing Authorization","description":"The product does not perform an authorization check when an actor attempts to access a resource or perform an action."}],"exploits":[],"severity_range_score":"5.3 - 5.3","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jspe-hb38-x7bs"}