How to fix CVE-2025-64174?

During next maintenance window: Identify affected systems and apply vendor patches when convenient. Verify Content-Security-Policy and output encoding.

Is PHP affected by CVE-2025-64174?

Organizations using Magento-lts should be aware of moderate risk from CVE-2025-64174, a cross-site scripting vulnerability rated CVSS 4.6. Attackers could inject scripts to steal sessions or perform actions as authenticated users. Proof-of-concept code is publicly available.

CVE-2025-64174

MEDIUM

2025-11-06 [email protected]

4.6

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:20 vuln.today

Patch Released

Mar 28, 2026 - 19:20 nvd

Patch available

PoC Detected

Feb 04, 2026 - 21:12 vuln.today

Public exploit code

CVE Published

Nov 06, 2025 - 21:15 nvd

MEDIUM 4.6

Description

Magento-lts is a long-term support alternative to Magento Community Edition (CE). Versions 20.15.0 and below are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin with direct database access or the admin notification feed source to inject malicious scripts into vulnerable fields. Unescaped translation strings and URLs are printed into contexts inside app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php. A malicious translation or polluted data can inject script. This issue is fixed in version 20.16.0.

Analysis

Magento-lts is a long-term support alternative to Magento Community Edition (CE). Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical Context

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Magento-lts is a long-term support alternative to Magento Community Edition (CE). Versions 20.15.0 and below are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin with direct database access or the admin notification feed source to inject malicious scripts into vulnerable fields. Unescaped translation strings and URLs are printed into contexts inside app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php. A malicious translation or polluted data can inject script. This issue is fixed in version 20.16.0. Affected products include: Openmage Magento. Version information: version 20.16.0..

Affected Products

Openmage Magento.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +23

POC: +20

CVE-2025-64174 vulnerability details – vuln.today

Back

CVE-2025-64174

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-64174

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code