CVE-2026-40488
Published:April 20, 2026
Updated:April 23, 2026
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the product custom option file upload in OpenMage LTS uses an incomplete blocklist ("forbidden_extensions = php,exe") to prevent dangerous file uploads. This blocklist can be trivially bypassed by using alternative PHP-executable extensions such as ".phtml", ".phar", ".php3", ".php4", ".php5", ".php7", and ".pht". Files are stored in the publicly accessible "media/custom_options/quote/" directory, which lacks server-side execution restrictions for some configurations, enabling Remote Code Execution if this directory is not explicitly denied script execution. Version 20.17.0 patches the issue.
Affected Packages
openmage/magento-lts (PHP):
Affected version(s) >=v19.x-dev <v20.17.0Fix Suggestion:
Update to version v20.17.0Related Resources (3)
Do you need more information?
Contact UsCVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Unrestricted Upload of File with Dangerous Type
EPSS
Base Score:
0.12
