CVE-2026-40488

CVE-2026-40488 affects OpenMage LTS, an unofficial community-driven project providing long-term support for the Magento Community Edition e-commerce platform with high backward compatibility. Prior to version 20.17.0, the product custom option file upload feature implements an incomplete blocklist of forbidden extensions limited to `php` and `exe`. This allows trivial bypass using alternative PHP-executable extensions such as `.phtml`, `.phar`, `.php3`, `.php4`, `.php5`, `.php7`, and `.pht`. Uploaded files are stored in the publicly accessible `media/custom_options/quote/` directory, which may lack server-side execution restrictions in some configurations, potentially enabling remote code execution (RCE). The vulnerability is rated 8.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).

A low-privileged remote attacker, such as an authenticated user with access to upload custom product options (e.g., a registered customer), can exploit this by uploading a malicious PHP file with a bypassable extension. If the web server configuration permits script execution in the `media/custom_options/quote/` directory, the attacker can then access the file via its public URL to trigger RCE, achieving high-impact confidentiality, integrity, and availability compromises on the server.

The GitHub Security Advisory (GHSA-3j5q-7q7h-2hhv) for OpenMage LTS confirms that version 20.17.0 resolves the issue by patching the blocklist and upload handling. Security practitioners should upgrade to 20.17.0 or later and verify web server configurations to deny script execution in the affected directory as an interim mitigation.