{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25524", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T19:59:47.372Z", "datePublished": "2026-04-20T16:11:16.922Z", "dateUpdated": "2026-04-20T16:54:43.603Z"}, "containers": {"cna": {"title": "OpenMage LTS's Phar Deserialization leads to Remote Code Execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-fg79-cr9c-7369", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-fg79-cr9c-7369"}, {"name": "https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0"}], "affected": [{"vendor": "OpenMage", "product": "magento-lts", "versions": [{"version": "< 20.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T16:11:16.922Z"}, "descriptions": [{"lang": "en", "value": "Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, PHP functions such as `getimagesize()`, `file_exists()`, and `is_readable()` can trigger deserialization when processing `phar://` stream wrapper paths. OpenMage LTS uses these functions with potentially controllable file paths during image validation and media handling. An attacker who can upload a malicious phar file (disguised as an image) and trigger one of these functions with a `phar://` path can achieve arbitrary code execution. Version 20.17.0 patches the issue."}], "source": {"advisory": "GHSA-fg79-cr9c-7369", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T16:44:41.509455Z", "id": "CVE-2026-25524", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:54:43.603Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25524", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-20T16:44:41.509455Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:44:46.174Z"}}], "cna": {"title": "OpenMage LTS's Phar Deserialization leads to Remote Code Execution", "source": {"advisory": "GHSA-fg79-cr9c-7369", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "OpenMage", "product": "magento-lts", "versions": [{"status": "affected", "version": "< 20.17.0"}]}], "references": [{"url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-fg79-cr9c-7369", "name": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-fg79-cr9c-7369", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0", "name": "https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, PHP functions such as `getimagesize()`, `file_exists()`, and `is_readable()` can trigger deserialization when processing `phar://` stream wrapper paths. OpenMage LTS uses these functions with potentially controllable file paths during image validation and media handling. An attacker who can upload a malicious phar file (disguised as an image) and trigger one of these functions with a `phar://` path can achieve arbitrary code execution. Version 20.17.0 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T16:11:16.922Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25524", "state": "PUBLISHED", "dateUpdated": "2026-04-20T16:54:43.603Z", "dateReserved": "2026-02-02T19:59:47.372Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-20T16:11:16.922Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openmage:magento:*:*:*:*:lts:*:*:*", "matchCriteriaId": "D3D78A44-3FCF-4E81-9A3C-A66A99CC489D", "versionEndExcluding": "20.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, PHP functions such as `getimagesize()`, `file_exists()`, and `is_readable()` can trigger deserialization when processing `phar://` stream wrapper paths. OpenMage LTS uses these functions with potentially controllable file paths during image validation and media handling. An attacker who can upload a malicious phar file (disguised as an image) and trigger one of these functions with a `phar://` path can achieve arbitrary code execution. Version 20.17.0 patches the issue."}], "id": "CVE-2026-25524", "lastModified": "2026-04-23T17:47:24.977", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-20T17:16:32.290", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-fg79-cr9c-7369"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,20.17.0)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "magento-lts", "source": "cna", "vendor": "OpenMage"}, "product": "magento", "vendor": "openmage"}], "analysis": {"en": {"generated_at": "2026-04-20T17:19:09.060790+00:00", "value": {"mitigation_remediation": ["Update OpenMage Magento LTS to version 20.17.0 or later; this releases the patch that removes the vulnerable deserialization logic.", "Validate uploaded files strictly to ensure only legitimate image formats are accepted and reject any phar:// or other non-image paths before processing.", "If an update cannot be applied immediately, limit the exposure by disabling or restricting PHP functions capable of parsing phar streams (e.g., by adjusting php.ini or code) and monitor logs for unauthorized upload attempts."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Installations of OpenMage Magento LTS that run any version prior to 20.17.0 are affected. The issue is fixed in release v20.17.0 and later.", "description_and_impact": "The vulnerability arises when PHP functions such as getimagesize(), file_exists(), and is_readable() process phar:// stream wrapper paths, causing deserialization of the phar archive. In OpenMage Magento LTS before version 20.17.0 these functions are invoked with user-controllable paths during image validation and media handling. An attacker who uploads a specially crafted phar file disguised as an image can trigger arbitrary PHP object deserialization, leading to remote code execution. The weakness is identified as CWE\u2011502.", "risk_and_exploitability": "The CVSS score of 8.1 signals high severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. The likely attack path involves an attacker with the ability to upload a filerequest that is processed by the vulnerable functions; the exploit requires no additional configuration beyond the default upload mechanism. While no public exploits are documented, the absence from KEV and the high severity scores indicate that the opportunity for exploitation is substantial for an attacker who can influence file uploads."}}}}, "created": "2026-04-20T17:30:12.648157+00:00", "updated": "2026-04-22T11:47:39.248972+00:00", "vendors": ["openmage", "openmage$PRODUCT$magento"]}