Path Traversal Vulnerability in OpenMage LTS Dataflow Module
CVE-2026-25525

4.9MEDIUM

Key Information:

Vendor: Openmage
Status: Magento-lts
Vendor: CVE Published:; 20 April 2026

What is CVE-2026-25525?

The OpenMage LTS Dataflow module, prior to version 20.17.0, is susceptible to a path traversal vulnerability due to a weak blacklist filter used for input sanitization. Attackers, particularly authenticated administrators, can exploit this vulnerability by crafting specific input patterns such as ..././ or ....//, effectively bypassing the filter. This allows unauthorized access to arbitrary files on the server, posing a significant risk to the integrity of the system. It is crucial for users operating on affected versions to upgrade to 20.17.0 or later to ensure their systems are secured against this exploit.

Affected Version(s)

magento-lts < 20.17.0

References

https://github.com/OpenMage/magento-lts/security/advisori...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Feb 2, 2026

CVE-2026-25525 Data

JSON

Openmage

What is CVE-2026-25525?

Affected Version(s)

References

CVSS V3.1

Timeline