| CVE-2026-42155 |
critical |
— |
9.5 |
|
|
|
24d ago |
Magento LTS has Weak API Session ID — Predictable MD5 of Time-Derived Inputs |
| CVE-2026-42207 |
medium |
6.1 |
6.1 |
|
|
|
24d ago |
Magento LTS Vulnerable to Open Redirect via Unvalidated `uenc` Parameter in `stockAction()` |
| CVE-2026-42458 |
medium |
— |
5.5 |
|
|
|
23d ago |
Magento LTS: Reflected XSS - Import -> Data Flow (profiles) |
| CVE-2026-40488 |
unknown |
— |
— |
|
|
|
1mo ago |
OpenMage LTS: Customer File Upload Extension Blocklist Bypass → Remote Code Execution |
| CVE-2026-40098 |
unknown |
— |
— |
|
|
|
1mo ago |
OpenMage LTS: Cross-user wishlist import leads to private option & file disclosure |
| CVE-2026-25525 |
unknown |
— |
— |
|
|
|
1mo ago |
OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module |
| CVE-2026-25524 |
unknown |
— |
— |
|
|
|
1mo ago |
OpenMage LTS: Phar Deserialization leads to Remote Code Execution |
| CVE-2026-25523 |
unknown |
— |
— |
|
|
|
4mo ago |
Magento's X-Original-Url header can expose admin url |
| CVE-2025-64174 |
unknown |
— |
— |
|
|
|
7mo ago |
OpenMage vulnerable to XSS in Admin Notifications |
| CVE-2025-27400 |
unknown |
— |
— |
|
|
|
1y ago |
Magento LTS vulnerable to stored XSS in theme config fields |
| CVE-2024-41676 |
unknown |
— |
— |
|
|
|
2y ago |
Magento LTS vulnerable to stored Cross-site Scripting (XSS) in admin system configs |
| CVE-2023-41879 |
unknown |
— |
— |
|
|
|
3y ago |
Magento LTS's guest order "protect code" can be brute-forced too easily |
| CVE-2021-41231 |
unknown |
— |
— |
|
|
|
3y ago |
DataFlow upload remote code execution vulnerability |
| CVE-2021-41144 |
unknown |
— |
— |
|
|
|
3y ago |
Fix for authenticated remote code execution through layout update |
| CVE-2023-23617 |
unknown |
— |
— |
|
|
|
3y ago |
DoS vulnerability in MaliciousCode filter |
| CVE-2021-41143 |
unknown |
— |
— |
|
|
|
3y ago |
Fix for arbitrary file deletion in customer media allows for remote code execution |
| CVE-2021-39217 |
unknown |
— |
— |
|
|
|
3y ago |
Fix for arbitrary command execution in custom layout update through blocks |
| CVE-2021-21395 |
unknown |
— |
— |
|
|
|
3y ago |
magento-lts Reset Password not protected against well-timed CSRF |
| CVE-2021-32758 |
unknown |
— |
— |
|
|
|
5y ago |
Layout XML Arbitrary Code Fix |
| CVE-2021-32759 |
unknown |
— |
— |
|
|
|
5y ago |
Data Flow Sanitation Issue Fix |
| CVE-2021-21427 |
unknown |
— |
— |
|
|
|
5y ago |
Backport for CVE-2021-21024 Blind SQLi from Magento 2 |
| CVE-2021-21426 |
unknown |
— |
— |
|
|
|
5y ago |
Fixes a bug in Zend Framework's Stream HTTP Wrapper |
| CVE-2020-15244 |
unknown |
— |
— |
|
|
|
6y ago |
RCE via PHP Object injection via SOAP Requests |
| CVE-2020-15151 |
unknown |
— |
— |
|
|
|
6y ago |
Observable Timing Discrepancy in OpenMage LTS |