CVE-2026-42207 is a medium-severity open redirect in Magento Long Term Support (LTS) before 20.18.0. The issue affects the product alert add flow: when the supplied product_id does not match an existing catalog product, Mage_ProductAlert_AddController::stockAction() uses the uenc query parameter as a redirect target without validating that the destination is internal. The result is an unvalidated HTTP 302 [truncated]
CVE-2026-42155 affects Magento Long Term Support (LTS) versions prior to 20.18.0. The XML-RPC/SOAP API session ID generation used an outdated, time-based MD5 construction rather than a cryptographically secure random source. Per the supplied description, the inputs were time-derived and non-secure, leaving the effective entropy severely constrained and enabling a localized brute-force attack against activ [truncated]
