CVE-2025-27400

Description

As reported by [Aakash Adhikari](https://hackerone.com/dark_haxor), Github: @justlife4x4, the Design > Themes > Skin (Images / CSS) config field allows a Stored XSS when it contains an end script tag. ### Impact A malicious user with access to this configuration field could use a Stored XSS to affect other authenticated admin users in the admin panel. The attack requires an admin user with configuration access, so in practice, it is not very likely to be used for gaining elevated privileges, although it could theoretically be used to impersonate other users. 

How to fix CVE-2025-27400

To remediate CVE-2025-27400, upgrade the affected package to a fixed version below.

• —upgrade to 20.12.3 or later

Is CVE-2025-27400 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 20.12.3

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-27400
• PATCHgithub.com/OpenMage/magento-lts
• WEBgithub.com/OpenMage/magento-lts/commit/d307e5bf75729a2347dde0952fe9fd9fcd9c6aea
• WEBgithub.com/OpenMage/magento-lts/releases/tag/v20.12.3