CVE-2026-42458
Magento LTS: Reflected XSS - Import -> Data Flow (profiles)
Description
A reflected XSS vulnerability was found under admin panel -> System -> Import/Export -> Dataflow - Profiles. ## Steps to produce + Login to the admin panel + Go to the path `System -> Import/Export -> Dataflow - Profiles` + Select profile direction as `Import`. + Click on `Import Customers` + Upload the file. File Link: [customer_20260212_204335.csv](https://github.com/user-attachments/files/25629638/customer_20260212_204335.csv) + Go back to `Run profile`. + Select the uploaded file and Click on `Run in Popup`. + One can see a URL like this ``` https://demo-admin.openmage.org/index.php/admin/system_convert_gui/run/id/6/key/40dbbb2e93f45f0463c57ff733352f4f/files/import-20260215151125-1_customer_20260212_204335.csv/ ``` + One can see the filename getting reflection in HTML tags. + Inject an HTML tag and observe. ``` https://demo-admin.openmage.org/index.php/admin/system_convert_gui/run/id/6/key/40dbbb2e93f45f0463c57ff733352f4f/files/"><h3>hacked</h3>/ ``` <img width="1796" height="302" alt="image (3)" src="https://github.com/user-attachments/assets/502330b0-fa73-4b90-a81f-6216a98e474a" /> + One can see the tag is getting executed. + Proceed for XSS. ``` https://demo-admin.openmage.org/index.php/admin/system_convert_gui/run/id/6/key/40dbbb2e93f45f0463c57ff733352f4f/files/%3CScRiPt%20%3Eprompt(document.cookie)%3C%2FScRiPt%3E ``` <img width="1670" height="562" alt="image (4)" src="https://github.com/user-attachments/assets/98a75081-fa8c-4483-9078-0ab5e7e14e4d" /> + There is an XSS popup. ## Impact Cookie stealing, JS deface, many more
How to fix CVE-2026-42458
To remediate CVE-2026-42458, upgrade the affected package to a fixed version below.
- —upgrade to 20.18.0 or later
Is CVE-2026-42458 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 20.18.0