Layout XML Arbitrary Code Fix
Description
OpenMage Magento LTS is an alternative to the Magento CE official releases. Prior to versions 19.4.15 and 20.0.11, layout XML enabled admin users to execute arbitrary commands via block methods. The latest OpenMage Versions up from v19.4.15 and v20.0.11 have this Issue patched.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Layout XML in OpenMage Magento LTS prior to 19.4.15 and 20.0.11 allows admin users to execute arbitrary commands via block methods.
Vulnerability
CVE-2021-32758 is a vulnerability in OpenMage Magento LTS, an alternative to Magento CE official releases. In versions prior to 19.4.15 and 20.0.11, layout XML processing allowed admin users to execute arbitrary commands through block methods [1][3]. The affected code path is reachable when an authenticated admin user with access to layout XML configuration can inject malicious block method calls.
Exploitation
An attacker must have admin-level access to the Magento backend. By crafting a malicious layout XML file (e.g., via custom theme or module), the attacker can invoke arbitrary block methods that execute system commands [3]. No additional user interaction is required beyond the admin's ability to deploy or modify layout XML.
Impact
Successful exploitation results in arbitrary command execution on the underlying server, typically with the privileges of the web server user. This can lead to full compromise of the application and server, including data exfiltration, modification, or further lateral movement [1][3].
Mitigation
The vulnerability is patched in OpenMage Magento LTS versions 19.4.15 and 20.0.11, released on 2021-08-26 [4]. Users should upgrade immediately. No workaround is available for unpatched versions. The issue is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openmage/magento-ltsPackagist | < 19.4.15 | 19.4.15 |
openmage/magento-ltsPackagist | >= 20.0.0, < 20.0.13 | 20.0.13 |
Affected products
2- OpenMage/magento-ltsv5Range: < 19.4.15
Patches
1b99307d00b59Merge pull request from GHSA-26rr-v2j2-25fh
1 file changed · +4 −1
app/code/core/Mage/Core/Helper/Security.php+4 −1 modified@@ -21,7 +21,10 @@ class Mage_Core_Helper_Security public function validateAgainstBlockMethodBlacklist(Mage_Core_Block_Abstract $block, $method, array $args) { foreach ($this->invalidBlockActions as $action) { - if ($block instanceof $action['block'] && strtolower($action['method']) === strtolower($method)) { + $calledMethod = strtolower($method); + if (($block instanceof $action['block'] && strtolower($action['method']) === $calledMethod) + || ($block instanceof $action['block'] + && strtolower($action['block'] . '::' . $action['method']) === $calledMethod)) { Mage::throwException( sprintf('Action with combination block %s and method %s is forbidden.', get_class($block), $method) );
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-26rr-v2j2-25fhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32758ghsaADVISORY
- github.com/OpenMage/magento-lts/commit/b99307d00b59c4a226a1e3e4083f02cf2fc8fce7ghsaWEB
- github.com/OpenMage/magento-lts/releases/tag/v19.4.15ghsax_refsource_MISCWEB
- github.com/OpenMage/magento-lts/releases/tag/v20.0.11mitrex_refsource_MISC
- github.com/OpenMage/magento-lts/releases/tag/v20.0.13ghsaWEB
- github.com/OpenMage/magento-lts/security/advisories/GHSA-26rr-v2j2-25fhghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.