Adobe EUVD-2026-23891

| CVE-2026-25525 MEDIUM
Path Traversal (CWE-22)
2026-04-20 GitHub_M GHSA-6vqf-6fhm-7rc6
Adobe Path Traversal
4.9
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 20, 2026 - 17:54 vuln.today
Patch available
Apr 20, 2026 - 17:16 EUVD

DescriptionNVD

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the Dataflow module in OpenMage LTS uses a weak blacklist filter (str_replace('../', '', $input)) to prevent path traversal attacks. This filter can be bypassed using patterns like ..././ or ....//, which after the replacement still result in ../. An authenticated administrator can exploit this to read arbitrary files from the server filesystem. Version 20.17.0 patches the issue.

AnalysisAI

OpenMage LTS Dataflow module prior to version 20.17.0 allows authenticated administrators to read arbitrary files via a bypassable path traversal filter that uses simple string replacement (str_replace('../', '', $input)). Attackers can circumvent the blacklist by using nested patterns like ..././ or ....// which resolve to valid ../ sequences after filtering. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

EUVD-2026-23891 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy