Description
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, PHP functions such as `getimagesize()`, `file_exists()`, and `is_readable()` can trigger deserialization when processing `phar://` stream wrapper paths. OpenMage LTS uses these functions with potentially controllable file paths during image validation and media handling. An attacker who can upload a malicious phar file (disguised as an image) and trigger one of these functions with a `phar://` path can achieve arbitrary code execution. Version 20.17.0 patches the issue.
Published: 2026-04-20
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises when PHP functions such as getimagesize(), file_exists(), and is_readable() process phar:// stream wrapper paths, causing deserialization of the phar archive. In OpenMage Magento LTS before version 20.17.0 these functions are invoked with user-controllable paths during image validation and media handling. An attacker who uploads a specially crafted phar file disguised as an image can trigger arbitrary PHP object deserialization, leading to remote code execution. The weakness is identified as CWE‑502.

Affected Systems

Installations of OpenMage Magento LTS that run any version prior to 20.17.0 are affected. The issue is fixed in release v20.17.0 and later.

Risk and Exploitability

The CVSS score of 8.1 signals high severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. The likely attack path involves an attacker with the ability to upload a filerequest that is processed by the vulnerable functions; the exploit requires no additional configuration beyond the default upload mechanism. While no public exploits are documented, the absence from KEV and the high severity scores indicate that the opportunity for exploitation is substantial for an attacker who can influence file uploads.

Generated by OpenCVE AI on April 20, 2026 at 17:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenMage Magento LTS to version 20.17.0 or later; this releases the patch that removes the vulnerable deserialization logic.
  • Validate uploaded files strictly to ensure only legitimate image formats are accepted and reject any phar:// or other non-image paths before processing.
  • If an update cannot be applied immediately, limit the exposure by disabling or restricting PHP functions capable of parsing phar streams (e.g., by adjusting php.ini or code) and monitor logs for unauthorized upload attempts.

Generated by OpenCVE AI on April 20, 2026 at 17:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, PHP functions such as `getimagesize()`, `file_exists()`, and `is_readable()` can trigger deserialization when processing `phar://` stream wrapper paths. OpenMage LTS uses these functions with potentially controllable file paths during image validation and media handling. An attacker who can upload a malicious phar file (disguised as an image) and trigger one of these functions with a `phar://` path can achieve arbitrary code execution. Version 20.17.0 patches the issue.
Title OpenMage LTS's Phar Deserialization leads to Remote Code Execution
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T16:54:43.603Z

Reserved: 2026-02-02T19:59:47.372Z

Link: CVE-2026-25524

cve-icon Vulnrichment

Updated: 2026-04-20T16:44:46.174Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T17:16:32.290

Modified: 2026-04-20T19:03:07.607

Link: CVE-2026-25524

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:30:12Z

Weaknesses