PatchSiren

OpenMage CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM OpenMage CVE published 2026-05-15

CVE-2026-42458

A reflected cross-site scripting (XSS) vulnerability exists in Magento Long Term Support (LTS), a community-driven fork of Magento Community Edition. The flaw resides in the admin panel's Dataflow - Profiles functionality (System → Import/Export → Dataflow - Profiles) and was present in all versions prior to 20.18.0. An attacker could exploit this vulnerability by crafting a malicious URL containing JavaS [truncated]

MEDIUM OpenMage CVE published 2026-05-15

CVE-2026-42207

CVE-2026-42207 is a medium-severity open redirect in Magento Long Term Support (LTS) before 20.18.0. The issue affects the product alert add flow: when the supplied product_id does not match an existing catalog product, Mage_ProductAlert_AddController::stockAction() uses the uenc query parameter as a redirect target without validating that the destination is internal. The result is an unvalidated HTTP 302 [truncated]

CRITICAL OpenMage CVE published 2026-05-15

CVE-2026-42155

CVE-2026-42155 affects Magento Long Term Support (LTS) versions prior to 20.18.0. The XML-RPC/SOAP API session ID generation used an outdated, time-based MD5 construction rather than a cryptographically secure random source. Per the supplied description, the inputs were time-derived and non-secure, leaving the effective entropy severely constrained and enabling a localized brute-force attack against activ [truncated]