Reflected XSS Vulnerability in OpenMage Magento LTS E-commerce Platform
CVE-2026-42458

5.3MEDIUM

Key Information:

Vendor: Openmage
Status: Magento-lts
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-42458?

The OpenMage Magento Long Term Support (LTS) platform, designed to enhance the functionality of the Magento Community Edition, has been identified with a reflected XSS vulnerability located under the admin panel functionalities, specifically in the import/export dataflow profiles section. This vulnerability allows an attacker to inject malicious scripts through crafted URLs, which can be executed in the context of the administrator's session, posing substantial risks to data integrity and security. This issue has been addressed in version 20.18.0.

Affected Version(s)

magento-lts < 20.18.0

References

https://github.com/OpenMage/magento-lts/security/advisori...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
Apr 27, 2026

CVE-2026-42458 Data

JSON

Openmage

What is CVE-2026-42458?

Affected Version(s)

References

CVSS V4

Timeline