Main Vulnerability Database Vulnerabilities #VU126490

Improper access control in magento-lts - CVE-2020-26295

Published: January 19, 2021 / Updated: April 20, 2026

Vulnerability identifier: #VU126490

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2020-26295

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
magento-lts

Software vendor:
OPENMAGE

Description

The vulnerability allows a remote user to execute arbitrary code on the server.

The vulnerability exists due to improper access control in the CMS layout XML handling when processing layout XML in CMS page editing. A remote user can inject an executable file on the server to execute arbitrary code on the server.

Exploitation requires permissions to import or export data and to edit CMS pages.

Remediation

Install security update from vendor's website.

External links

https://github.com/OpenMage/magento-lts/security/advisories/GHSA-52c6-6v3v-f3fg

Improper access control in magento-lts - CVE-2020-26295

Description

Remediation

External links

Please verify you're human