CVE-2026-40488: Remote Code Execution via Blocklist Bypass in OpenMage LTS File Uploads
Vulnerability ID: CVE-2026-40488
CVSS Score: 8.7
Published: 2026-04-21
OpenMage Magento-LTS versions prior to 20.17.0 suffer from a high-severity unrestricted file upload vulnerability (CWE-434). The flaw resides in the product custom options upload handler, which relies on an incomplete blocklist. This allows attackers with minimal privileges to upload malicious files using alternative PHP extensions and achieve unauthenticated remote code execution on the underlying server.
TL;DR
A blocklist bypass in the file upload mechanism of OpenMage LTS < 20.17.0 allows attackers to upload files with alternative PHP extensions (e.g., .phtml, .phar). The predictable storage path allows attackers to access these files, resulting in unauthenticated remote code execution.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-434
- CVSS 4.0 Score: 8.7 (High)
- Attack Vector: Network
- Exploit Status: Proof-of-Concept
- EPSS Percentile: 30.57%
- CISA KEV: Not Listed
Affected Systems
- OpenMage Magento-LTS
-
Magento-LTS: < 20.17.0 (Fixed in:
20.17.0)
Mitigation Strategies
- Upgrade to OpenMage LTS version 20.17.0.
- Disable PHP execution in the media/ directories using web server configuration.
- Manually expand the forbidden_extensions configuration node to include all alternative PHP extensions.
Remediation Steps:
- Verify the current OpenMage LTS version.
- Download the 20.17.0 update or apply the individual patch diff.
- Deploy the update to a staging environment and run integration tests.
- Apply the update to the production environment.
- Update web server configurations (Apache/Nginx) to explicitly deny script execution in the 'media/' directory as a defense-in-depth measure.
References
Read the full report for CVE-2026-40488 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)