Openmage
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Openmage product.
RSS Feeds for Openmage security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Openmage products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Openmage Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 1 vulnerability in Openmage with an average score of 5.3 out of ten. Last year, in 2025 Openmage had 1 security vulnerability published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Openmage in 2026 could surpass last years number.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 5.30 |
| 2025 | 1 | 0.00 |
| 2024 | 1 | 4.80 |
| 2023 | 7 | 7.10 |
| 2022 | 0 | 0.00 |
| 2021 | 4 | 7.85 |
| 2020 | 2 | 7.60 |
It may take a day or so for new Openmage vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Openmage Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-25523 | Feb 04, 2026 |
Magento-lts 20.16.1: X-Original-Url header leaks admin URL (CVE-2026-25523)Magento-lts is a long-term support alternative to Magento Community Edition (CE). Prior to version 20.16.1, the admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations. This issue has been patched in version 20.16.1. |
|
| CVE-2025-64174 | Nov 06, 2025 |
Magento-lts Stored XSS via Admin Notification Grid (20.15.0)Magento-lts is a long-term support alternative to Magento Community Edition (CE). Versions 20.15.0 and below are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin with direct database access or the admin notification feed source to inject malicious scripts into vulnerable fields. Unescaped translation strings and URLs are printed into contexts inside app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php. A malicious translation or polluted data can inject script. This issue is fixed in version 20.16.0. |
Magento Lts
|
| CVE-2024-41676 | Jul 29, 2024 |
Magento LTS XSS in header config before 20.10.1Magento-lts is a long-term support alternative to Magento Community Edition (CE). This XSS vulnerability affects the design/header/welcome, design/header/logo_src, design/header/logo_src_small, and design/header/logo_alt system configs.They are intended to enable admins to set a text in the two cases, and to define an image url for the other two cases. But because of previously missing escaping allowed to input arbitrary html and as a consequence also arbitrary JavaScript. The problem is patched with Version 20.10.1 or higher. |
Magento
|
| CVE-2023-41879 | Sep 11, 2023 |
Magento LTS order view w/o auth via guest cookie before 19.5.1 (CVE202341879)Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's "protect_code". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. This issue has been patched in versions 19.5.1 and 20.1.1. |
Magento
|
| CVE-2023-23617 | Jan 28, 2023 |
Infinite Loop in Malicious Code Filter (OpenMage LTS <19.4.22/20.0.19)OpenMage LTS is an e-commerce platform. Versions prior to 19.4.22 and 20.0.19 contain an infinite loop in malicious code filter in certain conditions. Versions 19.4.22 and 20.0.19 have a fix for this issue. There are no known workarounds. |
Magento
|
| CVE-2021-41231 | Jan 27, 2023 |
OpenMage LTS Remote Code Execution via DataFlow Conv. Profile <19.4.22/20.0.19OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, an administrator with the permissions to upload files via DataFlow and to create products was able to execute arbitrary code via the convert profile. Versions 19.4.22 and 20.0.19 contain a patch for this issue. |
Magento
|
| CVE-2021-41144 | Jan 27, 2023 |
OpenMage LTS 19.4.22/20.0.19 RCE via Layout Block Blacklist BypassOpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, a layout block was able to bypass the block blacklist to execute remote code. Versions 19.4.22 and 20.0.19 contain a patch for this issue. |
Magento
|
| CVE-2021-41143 | Jan 27, 2023 |
Remote Code Execution in OpenMage LTS Prior to 19.4.22 via Customer MediaOpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, Magento admin users with access to the customer media could execute code on the server. Versions 19.4.22 and 20.0.19 contain a patch for this issue. |
Magento
|
| CVE-2021-39217 | Jan 27, 2023 |
OpenMage LTS <19.4.22/20.0.19: Arbitrary Cmd Exec via Custom LayoutOpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, Custom Layout enabled admin users to execute arbitrary commands via block methods. Versions 19.4.22 and 20.0.19 contain patches for this issue. |
Magento
|
| CVE-2021-21395 | Jan 27, 2023 |
Magneto LTS <=19.4.22 CSRF via Password Reset (no workaround)Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is clicked and user submits new password. This issue is patched in versions 19.4.22 and 20.0.19. There are no workarounds. |
Magento
|