Description
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, Mage_ProductAlert_AddController::stockAction() reads the uenc query parameter and passes it directly to $this->_redirectUrl($backUrl) without calling $this->_isUrlInternal(). When the supplied product_id does not match any catalog product, the server issues an unvalidated HTTP 302 redirect to whatever URL was provided as uenc. This vulnerability is fixed in 20.18.0.
Published: 2026-05-15
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A non‑internal redirect is triggered when the `uenc` query parameter is supplied to the `stockAction()` method in OpenMage's Magento LTS. If the provided `product_id` does not match a catalog product, the server redirects the client to the URL supplied in `uenc` via an HTTP 302 response without validating that the target URL is internal. This flaw is a classic open‑redirect vulnerability (CWE‑601) that can be abused to trick users into visiting malicious sites or to facilitate phishing attacks.

Affected Systems

The vulnerability affects all installations of OpenMage Magento LTS running a version earlier than 20.18.0. No additional sub‑version details are specified, so any instance below 20.18.0 is considered susceptible.

Risk and Exploitability

With a CVSS score of 6.1 the flaw is rated moderate severity. The EPSS score is not reported and the issue is not listed in the CISA KEV catalog, indicating no known large‑scale exploitation to date. Remote attackers can trigger the redirect by crafting a URL containing the `uenc` parameter, so the attack vector is network‑based, requiring only standard HTTP access to the exposed endpoint.

Generated by OpenCVE AI on May 15, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OpenMage Magento LTS instance to version 20.18.0 or later, where the redirect logic is fixed.
  • If an upgrade is not immediately possible, modify the `stockAction()` implementation to validate or reject the `uenc` parameter, ensuring only internal URLs are accepted, or remove the parameter altogether.
  • Configure application or web‑server rules to block or log external redirects generated by the `stockAction()` endpoint, providing an additional monitoring layer against abuse.

Generated by OpenCVE AI on May 15, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qpgq-5g92-j5q8 Magento LTS Vulnerable to Open Redirect via Unvalidated `uenc` Parameter in `stockAction()`
History

Fri, 15 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, Mage_ProductAlert_AddController::stockAction() reads the uenc query parameter and passes it directly to $this->_redirectUrl($backUrl) without calling $this->_isUrlInternal(). When the supplied product_id does not match any catalog product, the server issues an unvalidated HTTP 302 redirect to whatever URL was provided as uenc. This vulnerability is fixed in 20.18.0.
Title Magento LTS: Open Redirect via Unvalidated `uenc` Parameter in `stockAction()` - magento-lts
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T17:50:25.297Z

Reserved: 2026-04-25T05:04:37.027Z

Link: CVE-2026-42207

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-15T17:16:46.757

Modified: 2026-05-15T19:16:58.243

Link: CVE-2026-42207

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T18:30:05Z

Weaknesses