{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25525", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T19:59:47.372Z", "datePublished": "2026-04-20T16:14:14.366Z", "dateUpdated": "2026-04-20T16:14:14.366Z"}, "containers": {"cna": {"title": "OpenMage LTS has Path Traversal Filter Bypass in Dataflow Module", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-184", "lang": "en", "description": "CWE-184: Incomplete List of Disallowed Inputs", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-6vqf-6fhm-7rc6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-6vqf-6fhm-7rc6"}], "affected": [{"vendor": "OpenMage", "product": "magento-lts", "versions": [{"version": "< 20.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T16:14:14.366Z"}, "descriptions": [{"lang": "en", "value": "Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the Dataflow module in OpenMage LTS uses a weak blacklist filter (`str_replace('../', '', $input)`) to prevent path traversal attacks. This filter can be bypassed using patterns like `..././` or `....//`, which after the replacement still result in `../`. An authenticated administrator can exploit this to read arbitrary files from the server filesystem. Version 20.17.0 patches the issue."}], "source": {"advisory": "GHSA-6vqf-6fhm-7rc6", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the Dataflow module in OpenMage LTS uses a weak blacklist filter (`str_replace('../', '', $input)`) to prevent path traversal attacks. This filter can be bypassed using patterns like `..././` or `....//`, which after the replacement still result in `../`. An authenticated administrator can exploit this to read arbitrary files from the server filesystem. Version 20.17.0 patches the issue."}], "id": "CVE-2026-25525", "lastModified": "2026-04-20T19:03:07.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-20T17:16:32.460", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-6vqf-6fhm-7rc6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-184"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T18:38:42.102617+00:00", "value": {"mitigation_remediation": ["Upgrade OpenMage LTS to version 20.17.0 or newer, which replaces the weak blacklist filter with a robust check that prevents traversal patterns.", "Limit administrator access by enforcing least privilege and ensuring that only trusted personnel can use the Dataflow module and have filesystem access.", "If an immediate upgrade is not feasible, apply custom input validation that rejects any path containing .. sequences or multiple sequential slashes before the data is processed by the module, serving as a temporary workaround."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary file read via authenticated administrator when path traversal is bypassed"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in any OpenMage LTS release prior to 20.17.0. All installations of OpenMage:magento-lts running a version earlier than 20.17.0 are affected. OpenMage LTS is an unofficial, community\u2011driven project providing a long\u2011term support branch of the Magento Community Edition.", "description_and_impact": "The Dataflow module in OpenMage LTS before version 20.17.0 applies a weak blacklist filter that removes only the sequence ../ from input. Patterns such as ..././ or ....// still leave a ../ after the replacement, allowing the resolved path to contain traversal. An attacker with administrator credentials can supply these patterns to read any file on the server filesystem. This flaw is a path traversal weakness categorized as CWE-184 and CWE-22 and directly threatens the confidentiality of server files.", "risk_and_exploitability": "The CVSS score of 4.9 places this in the medium severity range. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation yet. Since the flaw requires authenticated administrator access, only users with such privileges can exploit it, but it gives them unrestricted ability to read any file on the server. The path traversal bypass is straightforward once the attacker knows the weak filter, so the attack vector is local with limited privilege escalation beyond the existing administrator role."}}}}, "created": "2026-04-20T18:45:14.227087+00:00", "updated": "2026-04-20T18:45:14.227099+00:00", "vendors": []}