Cyber Resilience

CVE-2026-40488

HighPublic PoC

Published: 20 April 2026

Published
20 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0069 48.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40488 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Openmage Magento. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-40488 affects OpenMage LTS, an unofficial community-driven project providing long-term support for the Magento Community Edition e-commerce platform with high backward compatibility. Prior to version 20.17.0, the product custom option file upload feature implements an incomplete blocklist of forbidden extensions limited to `php` and `exe`. This allows trivial bypass using alternative PHP-executable extensions such as `.phtml`, `.phar`, `.php3`, `.php4`, `.php5`, `.php7`, and `.pht`. Uploaded files are stored in the publicly accessible `media/custom_options/quote/` directory, which may lack server-side execution restrictions in some configurations, potentially enabling remote code execution (RCE). The vulnerability is rated 8.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).

A low-privileged remote attacker, such as an authenticated user with access to upload custom product options (e.g., a registered customer), can exploit this by uploading a malicious PHP file with a bypassable extension. If the web server configuration permits script execution in the `media/custom_options/quote/` directory, the attacker can then access the file via its public URL to trigger RCE, achieving high-impact confidentiality, integrity, and availability compromises on the server.

The GitHub Security Advisory (GHSA-3j5q-7q7h-2hhv) for OpenMage LTS confirms that version 20.17.0 resolves the issue by patching the blocklist and upload handling. Security practitioners should upgrade to 20.17.0 or later and verify web server configurations to deny script execution in the affected directory as an interim mitigation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the product custom option file upload in OpenMage LTS…

more

uses an incomplete blocklist (`forbidden_extensions = php,exe`) to prevent dangerous file uploads. This blocklist can be trivially bypassed by using alternative PHP-executable extensions such as `.phtml`, `.phar`, `.php3`, `.php4`, `.php5`, `.php7`, and `.pht`. Files are stored in the publicly accessible `media/custom_options/quote/` directory, which lacks server-side execution restrictions for some configurations, enabling Remote Code Execution if this directory is not explicitly denied script execution. Version 20.17.0 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

CVE enables exploitation of a public-facing web application (T1190) via unrestricted file upload bypass, allowing deployment of PHP web shells for RCE (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25524Same product: Openmage Magento
CVE-2025-24406Same product class: CMS core
CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2021-47819Shared CWE-434
CVE-2025-7852Shared CWE-434

Affected Assets

openmage
magento
≤ 20.17.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires comprehensive server-side validation of file uploads to block dangerous PHP-executable extensions like .phtml and .phar, directly preventing the blocklist bypass leading to RCE.

prevent

Mandates secure web server configuration settings to deny script execution in publicly accessible upload directories such as media/custom_options/quote/.

prevent

Requires monitoring for vulnerabilities like CVE-2026-40488 and timely application of patches such as OpenMage LTS version 20.17.0 to remediate the incomplete file upload blocklist.

References