Skip to main content

PHP CVE-2026-25524

| EUVD-2026-23889 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-04-20 GitHub_M GHSA-fg79-cr9c-7369
PHP Adobe Deserialization RCE
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Patch released
Apr 23, 2026 - 17:47 nvd
Patch available
Re-analysis Queued
Apr 20, 2026 - 17:52 vuln.today
cvss_changed
Analysis Generated
Apr 20, 2026 - 17:52 vuln.today
Patch available
Apr 20, 2026 - 17:16 EUVD
EUVD ID Assigned
Apr 20, 2026 - 17:15 euvd
EUVD-2026-23889
Analysis Generated
Apr 20, 2026 - 17:15 vuln.today
CVE Published
Apr 20, 2026 - 16:11 nvd
HIGH 8.1

DescriptionGitHub Advisory

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, PHP functions such as getimagesize(), file_exists(), and is_readable() can trigger deserialization when processing phar:// stream wrapper paths. OpenMage LTS uses these functions with potentially controllable file paths during image validation and media handling. An attacker who can upload a malicious phar file (disguised as an image) and trigger one of these functions with a phar:// path can achieve arbitrary code execution. Version 20.17.0 patches the issue.

AnalysisAI

Remote code execution in OpenMage Magento LTS versions prior to 20.17.0 allows unauthenticated attackers to execute arbitrary code by uploading malicious phar archives disguised as images and triggering PHP deserialization via phar:// stream wrappers. The attack requires high complexity (AC:H) to exploit successfully. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Upload malicious phar disguised as image
Delivery
Store file on server filesystem
Exploit
Manipulate path parameter with phar:// wrapper
Install
Trigger vulnerable PHP function processing path
C2
Deserialize embedded malicious objects
Execute
Execute arbitrary code as web server user
Impact
Establish persistent backdoor access
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the OpenMage instance exposes file upload functionality (product images, customer avatars, CMS media uploads, or import/export features) where phar archives can be stored on the server filesystem with attacker-controlled or predictable paths. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Despite the critical CVSS score of 8.1, real-world exploitation risk depends heavily on deployment specifics. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies an OpenMage storefront allowing product image uploads or customer profile pictures without authentication. They craft a malicious phar archive containing serialized PHP objects with gadget chains targeting known classes in OpenMage or installed plugins. …
Remediation Upgrade immediately to OpenMage Magento LTS version 20.17.0 or later, available at https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all OpenMage Magento LTS installations and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-25524 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy