CVE-2025-64174
MEDIUMOpenMage Magento < 20.16.0 - Stored Cross-Site Scripting in Admin Notification Grid Actions Renderer
Title source: llmDescription
Magento-lts is a long-term support alternative to Magento Community Edition (CE). Versions 20.15.0 and below are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin with direct database access or the admin notification feed source to inject malicious scripts into vulnerable fields. Unescaped translation strings and URLs are printed into contexts inside app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php. A malicious translation or polluted data can inject script. This issue is fixed in version 20.16.0.
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/OpenMage/magento-lts/security/advisories/GHSA-qv78-c8hc-438r
Scores
CVSS v3
4.8
EPSS
0.0019
EPSS Percentile
9.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
openmage/magento
< 20.16.0
openmage/magento-lts
0 - 20.16.0Packagist
Published
Nov 06, 2025
Tracked Since
Feb 18, 2026