PT-2026-33797 · Openmage · Openmage

Published

2026-04-20

Updated

2026-04-21

CVE-2026-25525

CVSS v3.1

4.9

Medium

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions OpenMage LTS versions prior to 20.17.0

Description The Dataflow module uses a weak blacklist filter to prevent path traversal. The filter uses str replace('../','', $input), which can be bypassed using patterns such as ..././ or ....// because the replacement is only performed in a single pass. An authenticated administrator can exploit this by manipulating the files parameter to read arbitrary files from the server filesystem.

Recommendations Update to version 20.17.0. As a temporary workaround, disable the Dataflow module if it is not in use. Restrict access to the Dataflow module to trusted administrators only.

Exploit

Fix

Path traversal

Incomplete List of Disallowed Inputs

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-184

Related Identifiers

CVE-2026-25525

GHSA-6VQF-6FHM-7RC6

Affected Products

Openmage

PT-2026-33797 · Openmage · Openmage

CVE-2026-25525

Weakness Enumeration

Related Identifiers

Affected Products

References · 10