Skip to main content

Adobe CVE-2026-40098

| EUVDEUVD-2026-23903 MEDIUM
Missing Authorization (CWE-862)
2026-04-20 GitHub_M GHSA-665x-ppc4-685w
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Patch released
Apr 23, 2026 - 17:46 nvd
Patch available
Analysis Generated
Apr 20, 2026 - 17:54 vuln.today
Patch available
Apr 20, 2026 - 17:16 EUVD
EUVD ID Assigned
Apr 20, 2026 - 17:15 euvd
EUVD-2026-23903
Analysis Generated
Apr 20, 2026 - 17:15 vuln.today
CVE Published
Apr 20, 2026 - 16:19 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the shared wishlist add-to-cart endpoint authorizes access with a public sharing_code, but loads the acted-on wishlist item by a separate global wishlist_item_id and never verifies that the item belongs to the shared wishlist referenced by that code. This lets an attacker use a valid shared wishlist code for wishlist A and a wishlist item ID belonging to victim wishlist B to import victim item B into the attacker's cart through the shared wishlist flow for wishlist A. Because the victim item's stored buyRequest is reused during cart import, the victim's private custom-option data is copied into the attacker's quote. If the product uses a file custom option, this can be elevated to cross-user file disclosure because the imported file metadata is preserved and the download endpoint is not ownership-bound. Version 20.17.0 patches the issue.

AnalysisAI

Magento LTS prior to version 20.17.0 allows authenticated attackers to access private wishlist items from other users via an authorization bypass in the shared wishlist add-to-cart endpoint. The vulnerability permits an attacker with a valid sharing code for one wishlist to import items from a different victim's wishlist into their cart by manipulating the wishlist_item_id parameter, potentially exposing private custom option data and enabling cross-user file disclosure when file upload custom options are present. CVSS 5.3 (AV:N/AC:L/PR:L) indicates network-accessible exploitation requiring low privileges; patch version 20.17.0 resolves the issue.

Technical ContextAI

Magento LTS is a community-maintained fork of the Magento Community Edition e-commerce platform written in PHP. The vulnerability resides in the shared wishlist add-to-cart endpoint (part of the Wishlist module), which implements a two-parameter authorization model: a public sharing_code that grants access to a specific shared wishlist, and a wishlist_item_id that identifies the product to add to cart. The flaw is a classic insecure direct object reference (IDOR) combined with insufficient cross-reference validation. When processing the add-to-cart request, the endpoint verifies the sharing_code belongs to a valid wishlist but fails to validate that the specified wishlist_item_id actually belongs to that same wishlist. This allows an attacker to supply a valid sharing_code from wishlist A with an item ID from the victim's wishlist B, bypassing ownership checks. The vulnerability is classified as CWE-862 (Missing Authorization), indicating the system fails to enforce authorization policies before performing sensitive operations. The reuse of the victim's stored buyRequest data during import is the attack vector for escalating to custom option disclosure and, when file uploads are involved, cross-user file access due to the download endpoint not being bound to the file owner.

RemediationAI

Magento LTS users should upgrade to version 20.17.0 or later immediately to patch the authorization bypass. The vendor fix verifies that wishlist_item_id belongs to the shared wishlist referenced by the sharing_code before processing add-to-cart requests, eliminating the IDOR condition. For users unable to immediately upgrade, implement network-level or application-level mitigations: restrict access to the shared wishlist add-to-cart endpoint (typically /wishlist/shared/add/) to authenticated users only via Web Application Firewall rules, monitor for suspicious patterns of wishlist_item_id enumeration or mismatches between sharing_code and item ownership, and audit wishlist sharing logs for cross-account item imports. If custom options with file uploads are in use, additionally verify file download endpoints enforce ownership checks (not part of this CVE but a correlated risk). Note that these mitigations do not address the underlying logic flaw and should be treated as temporary controls pending patching. Reference the OpenMage security advisory at https://github.com/OpenMage/magento-lts/security/advisories/GHSA-665x-ppc4-685w for detailed patch release notes.

More in Adobe

View all
CVE-2015-5119 CRITICAL POC
9.8 Jul 08

Remote code execution in Adobe Flash Player 11.x through 18.x allows unauthenticated network attackers to execute arbitr

CVE-2016-4117 CRITICAL POC
9.8 May 11

Remote code execution in Adobe Flash Player 21.0.0.226 and earlier allows unauthenticated network attackers to execute a

CVE-2015-3113 CRITICAL POC
9.8 Jun 23

Adobe Flash Player contains a heap-based buffer overflow that allows remote code execution, exploited as a zero-day in J

CVE-2011-2462 CRITICAL POC
9.8 Dec 07

Adobe Reader and Acrobat contain an unspecified U3D component vulnerability causing memory corruption that allows remote

CVE-2011-0611 HIGH POC
8.8 Apr 13

Adobe Flash Player contains a type confusion vulnerability in object handling that allows remote attackers to execute ar

CVE-2009-0927 HIGH POC
8.8 Mar 19

Adobe Reader and Acrobat 9.x, 8.x, and 7.x contain a stack-based buffer overflow in the getIcon method of the Collab obj

CVE-2014-0497 CRITICAL POC
9.8 Feb 05

Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Ma

CVE-2009-4324 HIGH POC
7.8 Dec 15

Adobe Reader and Acrobat contain a use-after-free vulnerability in the Doc.media.newPlayer JavaScript method that was ac

CVE-2015-0313 CRITICAL POC
9.8 Feb 02

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows

CVE-2015-5122 CRITICAL POC
9.8 Jul 14

Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player

CVE-2015-0311 CRITICAL POC
9.8 Jan 23

Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Window

CVE-2013-0632 CRITICAL POC
9.8 Jan 17

administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and pos

Share

CVE-2026-40098 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy