CVE-2025-64174

MEDIUM EPSS 9.1%
Published Nov 6, 20258mo ago · Modified Jun 17, 20262w ago
4.6 CVSS 4.0
Medium
Find Similar
Published Nov 6, 2025 8mo ago
Last Modified Jun 17, 2026 2w ago

Description

Magento-lts is a long-term support alternative to Magento Community Edition (CE). Versions 20.15.0 and below are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin with direct database access or the admin notification feed source to inject malicious scripts into vulnerable fields. Unescaped translation strings and URLs are printed into contexts inside app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php. A malicious translation or polluted data can inject script. This issue is fixed in version 20.16.0.

CVSS Details

Base Score
4.6
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction A
Scope X

Threat Intelligence

EPSS Exploit Probability
9.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
openmagemagento* <20.16.0

References 2

  • github.com https://github.com/OpenMage/magento-lts/commit/9d604f5489851c54a96fca31b0e13c414b0fb20a
    Patch
  • github.com https://github.com/OpenMage/magento-lts/security/advisories/GHSA-qv78-c8hc-438r
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/OpenMage/magento-lts/commit/9d604f5489851c54a96fca31b0e13c414b0fb20a
    Patch