PT-2026-38267 · Openmage+1 · Magento-Lts+1
Published
2026-05-06
·
Updated
2026-05-18
·
CVE-2026-42458
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Magento Long Term Support (LTS) versions prior to 20.18.0
Description
A reflected cross-site scripting (XSS) issue exists within the admin panel under System -> Import/Export -> Dataflow - Profiles. The flaw occurs when a filename is reflected in HTML tags without proper sanitization. An attacker can exploit this by manipulating the filename in the request to the endpoint "/index.php/admin/system convert gui/run/" via the
files variable, allowing the execution of arbitrary JavaScript in the context of the user's session.Recommendations
Update to version 20.18.0.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Magento-Lts
Openmage Magento Lts