Arbitrary file upload in Openmage Magento-lts

CVE-2026-40488

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the product cust…

Vulnerability class: Unrestricted File Upload

EPSS: 0.001 (25.4th percentile) — read the EPSS interpretation.

Affected products

Openmage Magento-lts — versions < 20.17.0

Weakness classification (CWE)

CWE-434 — Unrestricted Upload of File with Dangerous Type

References

https://github.com/OpenMage/magento-lts/security/advisories/GHSA-3j5q-7q7h-2hhv (x_refsource_CONFIRM)