OpenMage LTS Vulnerability Allows Arbitrary Code Execution via Phar Files

The National Vulnerability Database has identified a critical vulnerability (CVE-2026-25524) in OpenMage LTS, an unofficial community fork of Magento. Versions prior to 20.17.0 are susceptible to arbitrary code execution. This is achieved by exploiting PHP’s phar:// stream wrapper when processing uploaded files, such as images. Functions like getimagesize(), file_exists(), and is_readable() can be tricked into deserializing malicious PHAR archives disguised as image files during validation or media handling.

The attacker’s calculus here is straightforward: gain initial access by uploading a crafted PHAR file, then trigger the vulnerable functions. This bypasses typical image validation and directly leads to code execution on the server. The CVSS score of 8.1 (HIGH) underscores the severity, with the vector indicating network-accessible exploitation with minimal prerequisites (no authentication, low complexity) and high impact across confidentiality, integrity, and availability.

Defenders must prioritize patching OpenMage LTS installations to version 20.17.0 or later immediately. For organizations unable to patch, strict input validation on all file uploads is paramount, specifically scrutinizing file types and contents for signs of PHAR archives. Monitoring file system access logs for suspicious phar:// wrapper usage can also aid in early detection of exploitation attempts.