Deserialization Vulnerability in OpenMage LTS e-Commerce Platform
CVE-2026-25524

8.1HIGH

Key Information:

Vendor: Openmage
Status: Magento-lts
Vendor: CVE Published:; 20 April 2026

What is CVE-2026-25524?

OpenMage Long Term Support (LTS) is a community-driven project designed to maintain high backward compatibility with the Magento Community Edition. Prior to version 20.17.0, vulnerabilities existed related to PHP functions like getimagesize(), file_exists(), and is_readable(). These functions could inadvertently trigger deserialization when processing paths with the phar:// stream wrapper. This flaw allows an attacker to upload a malicious PHAR file, posing as a legitimate image, which could be executed during image validation and media handling processes. The release of version 20.17.0 addresses this serious security oversight.

Affected Version(s)

magento-lts < 20.17.0

References

https://github.com/OpenMage/magento-lts/security/advisori...

x_refsource_CONFIRM

https://github.com/OpenMage/magento-lts/releases/tag/v20....

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Feb 2, 2026

CVE-2026-25524 Data

JSON

Openmage

What is CVE-2026-25524?

Affected Version(s)

References

CVSS V3.1

Timeline