GHSA-x8jv-q8j2-487c

Suggest an improvement
Source
https://github.com/advisories/GHSA-x8jv-q8j2-487c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-x8jv-q8j2-487c/GHSA-x8jv-q8j2-487c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-x8jv-q8j2-487c
Aliases
  • CVE-2026-42458
Published
2026-05-06T20:57:37Z
Modified
2026-05-06T21:05:32.927442Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Magento LTS: Reflected XSS - Import -> Data Flow (profiles)
Details

A reflected XSS vulnerability was found under admin panel -> System -> Import/Export -> Dataflow - Profiles.

Steps to produce

  • Login to the admin panel

  • Go to the path System -> Import/Export -> Dataflow - Profiles

  • Select profile direction as Import.

  • Click on Import Customers

  • Upload the file.

File Link: customer20260212204335.csv

  • Go back to Run profile.

  • Select the uploaded file and Click on Run in Popup.

  • One can see a URL like this 

https://demo-admin.openmage.org/index.php/admin/system_convert_gui/run/id/6/key/40dbbb2e93f45f0463c57ff733352f4f/files/import-20260215151125-1_customer_20260212_204335.csv/

  • One can see the filename getting reflection in HTML tags.

  • Inject an HTML tag and observe.

https://demo-admin.openmage.org/index.php/admin/system_convert_gui/run/id/6/key/40dbbb2e93f45f0463c57ff733352f4f/files/"><h3>hacked</h3>/

<img width="1796" height="302" alt="image (3)" src="https://github.com/user-attachments/assets/502330b0-fa73-4b90-a81f-6216a98e474a" />

  • One can see the tag is getting executed.

  • Proceed for XSS.

https://demo-admin.openmage.org/index.php/admin/system_convert_gui/run/id/6/key/40dbbb2e93f45f0463c57ff733352f4f/files/%3CScRiPt%20%3Eprompt(document.cookie)%3C%2FScRiPt%3E

<img width="1670" height="562" alt="image (4)" src="https://github.com/user-attachments/assets/98a75081-fa8c-4483-9078-0ab5e7e14e4d" />

  • There is an XSS popup.

Impact

Cookie stealing, JS deface, many more

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T20:57:37Z",
    "cwe_ids": [
        "CWE-87"
    ],
    "severity": "MODERATE",
    "nvd_published_at": null
}
References

Affected packages

Packagist / openmage/magento-lts

Package

Name
openmage/magento-lts
Purl
pkg:composer/openmage/magento-lts

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
20.18.0

Affected versions

1.*
1.9.1.1
1.9.2.0
1.9.2.1
1.9.2.2
1.9.2.3
1.9.2.4
1.9.3.0
1.9.3.1
v19.*
v19.4.0
v19.4.1
v19.4.2
v19.4.3
v19.4.4
v19.4.5
v19.4.6
v19.4.7
v19.4.8
v19.4.9
v19.4.10
v19.4.11
v19.4.12
v19.4.13
v19.4.14
v19.4.15
v19.4.16
v19.4.17
v19.4.18
v19.4.19
v19.4.20
v19.4.21
v19.4.22
v19.4.23
v19.5.0-rc1
v19.5.0-rc2
v19.5.0-rc3
v19.5.0-rc4
v19.5.0-rc5
v19.5.0
v19.5.1
v19.5.2
v19.5.3
v20.*
v20.0.0
v20.0.1
v20.0.2
v20.0.3
v20.0.4
v20.0.5
v20.0.6
v20.0.7
v20.0.8
v20.0.10
v20.0.11
v20.0.12
v20.0.13
v20.0.14
v20.0.15
v20.0.16
v20.0.17
v20.0.18
v20.0.19
v20.0.20
v20.1.0-rc1
v20.1.0-rc2
v20.1.0-rc3
v20.1.0-rc4
v20.1.0-rc5
v20.1.0-rc6
v20.1.0-rc7
v20.1.0
v20.1.1
v20.2.0
v20.3.0
v20.4.0
v20.5.0
v20.6.0
v20.7.0
v20.8.0
v20.9.0
v20.10.0
v20.10.1
v20.10.2
v20.11.0
v20.12.0
v20.12.1
v20.12.2
v20.12.3
v20.13.0
v20.14.0
v20.15.0
v20.16.0
v20.17.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-x8jv-q8j2-487c/GHSA-x8jv-q8j2-487c.json"
last_known_affected_version_range 
"<= 20.17.0"