Description
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the product custom option file upload in OpenMage LTS uses an incomplete blocklist (`forbidden_extensions = php,exe`) to prevent dangerous file uploads. This blocklist can be trivially bypassed by using alternative PHP-executable extensions such as `.phtml`, `.phar`, `.php3`, `.php4`, `.php5`, `.php7`, and `.pht`. Files are stored in the publicly accessible `media/custom_options/quote/` directory, which lacks server-side execution restrictions for some configurations, enabling Remote Code Execution if this directory is not explicitly denied script execution. Version 20.17.0 patches the issue.
Published: 2026-04-20
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability lies in an incomplete file upload blocklist for customer options in OpenMage LTS. The system allows uploads with extensions such as .phtml, .phar, .php3, .php4, .php5, .php7, or .pht, bypassing the intended filters. Uploaded files are stored in the publicly accessible media/custom_options/quote/ directory. If that directory is capable of executing scripts on the server, an attacker can upload a malicious file and run arbitrary code, resulting in full remote code execution. This flaw is classified as CWE‑434, an unrestricted upload of dangerous file content.

Affected Systems

All installations of OpenMage LTS that are running a version earlier than 20.17.0 are affected. The specific product is the Magento Community Edition support by the OpenMage project. Versions 20.17.0 and later incorporate the fix and are no longer vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. Although the EPSS score is not available, the vulnerability has a clear path to exploitation via the web interface. The KEV catalog does not list this CVE, but that does not diminish the risk posed by the ability to upload files to an execution‑permitted directory. If the server allows script execution in media/custom_options/quote/, the attacker can achieve complete compromise of the application and potentially the underlying server. If execution is not allowed, the risk is reduced but the vulnerability still permits file upload abuse that could lead to other attacks.

Generated by OpenCVE AI on April 20, 2026 at 18:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the OpenMage LTS update to version 20.17.0 or later, which patches the blocklist bypass and upload handling.
  • Review the configuration of custom option uploads and ensure the blocklist includes all PHP‑executable extensions (e.g., .php, .phtml, .phar, .php3, .php4, .php5, .php7, .pht).
  • Configure the web server to deny script execution in the media/custom_options/quote/ directory (for example, using an .htaccess rule or web‑server specific directives) to eliminate the remote execution vector.

Generated by OpenCVE AI on April 20, 2026 at 18:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the product custom option file upload in OpenMage LTS uses an incomplete blocklist (`forbidden_extensions = php,exe`) to prevent dangerous file uploads. This blocklist can be trivially bypassed by using alternative PHP-executable extensions such as `.phtml`, `.phar`, `.php3`, `.php4`, `.php5`, `.php7`, and `.pht`. Files are stored in the publicly accessible `media/custom_options/quote/` directory, which lacks server-side execution restrictions for some configurations, enabling Remote Code Execution if this directory is not explicitly denied script execution. Version 20.17.0 patches the issue.
Title OpenMage LTS has Customer File Upload Extension Blocklist Bypass that Leads to Remote Code Execution
Weaknesses CWE-434
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T16:55:05.724Z

Reserved: 2026-04-13T19:50:42.114Z

Link: CVE-2026-40488

cve-icon Vulnrichment

Updated: 2026-04-20T16:44:21.310Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T17:16:36.300

Modified: 2026-04-20T19:03:07.607

Link: CVE-2026-40488

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:45:14Z

Weaknesses