{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25523", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T18:21:42.487Z", "datePublished": "2026-02-04T21:21:56.414Z", "dateUpdated": "2026-02-04T21:40:35.514Z"}, "containers": {"cna": {"title": "Magento's X-Original-Url header can expose admin url", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-jg68-vhv3-9r8f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-jg68-vhv3-9r8f"}, {"name": "https://hackerone.com/bugs?subject=openmage&report_id=3416312", "tags": ["x_refsource_MISC"], "url": "https://hackerone.com/bugs?subject=openmage&report_id=3416312"}], "affected": [{"vendor": "OpenMage", "product": "magento-lts", "versions": [{"version": "< 20.16.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T21:21:56.414Z"}, "descriptions": [{"lang": "en", "value": "Magento-lts is a long-term support alternative to Magento Community Edition (CE). Prior to version 20.16.1, the admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations. This issue has been patched in version 20.16.1."}], "source": {"advisory": "GHSA-jg68-vhv3-9r8f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T21:34:33.511870Z", "id": "CVE-2026-25523", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T21:40:35.514Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25523", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T21:34:33.511870Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T21:38:07.271Z"}}], "cna": {"title": "Magento's X-Original-Url header can expose admin url", "source": {"advisory": "GHSA-jg68-vhv3-9r8f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "OpenMage", "product": "magento-lts", "versions": [{"status": "affected", "version": "< 20.16.1"}]}], "references": [{"url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-jg68-vhv3-9r8f", "name": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-jg68-vhv3-9r8f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://hackerone.com/bugs?subject=openmage&report_id=3416312", "name": "https://hackerone.com/bugs?subject=openmage&report_id=3416312", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Magento-lts is a long-term support alternative to Magento Community Edition (CE). Prior to version 20.16.1, the admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations. This issue has been patched in version 20.16.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T21:21:56.414Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25523", "state": "PUBLISHED", "dateUpdated": "2026-02-04T21:40:35.514Z", "dateReserved": "2026-02-02T18:21:42.487Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-04T21:21:56.414Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openmage:magento:*:*:*:*:lts:*:*:*", "matchCriteriaId": "38BC51D0-57DC-4980-A1C7-860D04FF03C2", "versionEndIncluding": "20.16.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Magento-lts is a long-term support alternative to Magento Community Edition (CE). Prior to version 20.16.1, the admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations. This issue has been patched in version 20.16.1."}, {"lang": "es", "value": "Magento-lts es una alternativa de soporte a largo plazo a Magento Community Edition (CE). Antes de la versi\u00f3n 20.16.1, la URL de administraci\u00f3n puede ser descubierta sin conocimiento previo de su ubicaci\u00f3n explotando el encabezado X-Original-Url en algunas configuraciones. Este problema ha sido parcheado en la versi\u00f3n 20.16.1."}], "id": "CVE-2026-25523", "lastModified": "2026-02-20T20:57:08.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-04T22:15:59.353", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-jg68-vhv3-9r8f"}, {"source": "security-advisories@github.com", "tags": ["Permissions Required"], "url": "https://hackerone.com/bugs?subject=openmage&report_id=3416312"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T23:11:27.487823+00:00", "value": {"mitigation_remediation": ["Apply the official update to OpenMage magento\u2011lts version 20.16.1 or later, which removes the vulnerability.", "Configure the web server or any reverse\u2011proxy in front of Magento to strip or ignore the X\u2011Original\u2011Url header from incoming requests so that an attacker cannot rely on a manipulated header.", "Continuously monitor access logs for attempts that include X\u2011Original\u2011Url or for unusual requests that may indicate that an adversary is trying to discover the admin path."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure \u2013 Admin URL Exposure"}, "threat_synthesis": {"affected_systems": "Products affected are the OpenMage Long\u2011Term\u2011Support edition of Magento. All instances running a version older than 20.16.1 are vulnerable; the patch was applied in 20.16.1 and later releases. The specific admin\u2011url path is not hard coded and depends on the deployment configuration, but the exposure occurs in all configurations that allow the header to pass through.", "description_and_impact": "The Magento\u2011lts application contains a flaw that allows an attacker to discover the location of the administration interface by sending requests that include a specific header, X\u2011Original\u2011Url. The vulnerability is classified as a confidentiality weakness (CWE\u2011200). When the header is present, the server can expose or infer the admin\u2011url path, allowing an unauthenticated user to identify the exact location of a privileged resource.", "risk_and_exploitability": "The vulnerability has a CVSS score of 5.3, indicating moderate severity, and an EPSS score of less than 1%, suggesting a very low probability of active exploitation at this time. The ad\u2011hoc use of a request header does not require any additional privilege, meaning that anyone who can reach the web application can attempt to enumerate the admin path. Although the vulnerability is not currently listed in the CISA KEV catalog, it remains a risk for attackers who may use automated scans to locate the admin interface and then attempt other credential\u2011guessing or privilege\u2011bypass attacks."}}}}, "created": "2026-02-05T11:40:01.852869+00:00", "updated": "2026-04-17T23:15:30.807936+00:00", "vendors": ["openmage", "openmage$PRODUCT$magento"]}