Description
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, there is a reflected XSS vulnerability under admin panel -> System -> Import/Export -> Dataflow - Profiles. This vulnerability is fixed in 20.18.0.
Published: 2026-05-15
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A reflected XSS flaw exists in the admin panel of Magento LTS under System → Import/Export → Dataflow − Profiles. An attacker who can craft a request that is processed by the import interface can inject arbitrary script into the page returned to the user. This can lead to security‑related consequences such as session hijacking, defacement or execution of malicious code in the victim’s browser. The weakness maps to CWE‑87: Improper Neutralization of Input During Web Page Generation.

Affected Systems

The vulnerability affects the OpenMage community run of Magento LTS. All releases prior to 20.18.0 are susceptible.

Risk and Exploitability

The CVSS score for this issue is 5.3, indicating a moderate severity. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an authenticated session with access to the admin area is required for exploitation; an attacker who gains such privileges can submit crafted import data to trigger the reflected XSS. Although not widely known to be exploited in the wild, the moderate score and lack of mitigation by default make it a noteworthy risk for sites that still run older OpenMage LTS versions.

Generated by OpenCVE AI on May 15, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenMage magento‑lts to version 20.18.0 or later to apply the vendor fix.
  • If a swift upgrade is not possible, temporarily block or restrict access to the admin panel’s Dataflow – Profiles import functionality and enforce strict role‑based controls so that only highly trusted administrators can reach the vulnerable interface.
  • As a last resort, employ a WAF rule or add custom server‑side sanitization for data passed through the import interface to neutralize potential script payloads.

Generated by OpenCVE AI on May 15, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x8jv-q8j2-487c Magento LTS: Reflected XSS - Import -> Data Flow (profiles)
History

Fri, 15 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, there is a reflected XSS vulnerability under admin panel -> System -> Import/Export -> Dataflow - Profiles. This vulnerability is fixed in 20.18.0.
Title Magento LTS: Reflected XSS - Import -> Data Flow (profiles)
Weaknesses CWE-87
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T18:04:51.109Z

Reserved: 2026-04-27T13:55:58.694Z

Link: CVE-2026-42458

cve-icon Vulnrichment

Updated: 2026-05-15T17:58:18.428Z

cve-icon NVD

Status : Received

Published: 2026-05-15T17:16:46.900

Modified: 2026-05-15T19:16:58.397

Link: CVE-2026-42458

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T19:00:07Z

Weaknesses