CVE-2026-42207

Name of the Vulnerable Software and Affected Versions Magento Long Term Support (LTS) versions prior to 20.18.0

Description The Mage ProductAlert AddController::stockAction() function reads the uenc query parameter and passes it directly to $this-> redirectUrl($backUrl) without verifying if the URL is internal via $this-> isUrlInternal(). When a provided product id does not match any catalog product, the server performs an unvalidated HTTP 302 redirect to the URL specified in the uenc parameter. This allows an attacker to redirect authenticated users to arbitrary external websites, which can be used for credential phishing, stealing OAuth tokens, or malware distribution.

Recommendations Update to version 20.18.0.