Stored XSS Vulnerability in Magento-lts Affects OpenMage Products
CVE-2025-64174

4.6MEDIUM

Key Information:

Vendor: Openmage
Status: Magento-lts
Vendor: CVE Published:; 6 November 2025

What is CVE-2025-64174?

The Magento-lts product, which serves as a long-term support alternative to Magento Community Edition, contains a vulnerability allowing for stored Cross-Site Scripting (XSS). This issue impacts versions 20.15.0 and lower, enabling an attacker with backend access or an administrator to inject malicious scripts through unescaped translation strings and URLs located in specific code files. This flaw can lead to unauthorized actions and harmful consequences if exploited. The vulnerability has been addressed in version 20.16.0 of the product.

Affected Version(s)

magento-lts < 20.16.0

References

https://github.com/OpenMage/magento-lts/security/advisori...

x_refsource_CONFIRM

https://github.com/OpenMage/magento-lts/commit/9d604f5489...

x_refsource_MISC

CVSS V4

Score:

4.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 6, 2025
Vulnerability Reserved
Oct 28, 2025

JSON

Openmage

What is CVE-2025-64174?

Affected Version(s)

References

CVSS V4

Timeline