OpenMage LTS authenticated remote code execution through layout update
Description
OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, a layout block was able to bypass the block blacklist to execute remote code. Versions 19.4.22 and 20.0.19 contain a patch for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenMage LTS prior to 19.4.22 and 20.0.19 allows authenticated remote code execution via a layout block bypassing the block blacklist.
Vulnerability
Overview
OpenMage LTS, an e-commerce platform, contained a security vulnerability in layout handling that allowed a specially crafted layout block to bypass the block blacklist, leading to remote code execution. This issue affected versions prior to 19.4.22 and 20.0.19 [1][2].
Attack
Vector
An authenticated attacker could exploit this vulnerability by manipulating layout updates to include a block that should have been blacklisted. The attacker requires backend access to inject or modify layout XML, potentially through custom modules or compromised admin accounts [2].
Impact
Successful exploitation enables the attacker to execute arbitrary PHP code on the server, leading to full compromise of the application and underlying system. This can result in data theft, site defacement, or further lateral movement [1][4].
Mitigation
OpenMage LTS versions 19.4.22 and 20.0.19 contain patches that properly enforce the block blacklist, preventing this bypass. Users are strongly advised to update immediately. No workarounds are documented [2][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openmage/magento-ltsPackagist | < 19.4.22 | 19.4.22 |
openmage/magento-ltsPackagist | >= 20.0.0, < 20.0.19 | 20.0.19 |
Affected products
2- OpenMage/magento-ltsv5Range: < 19.4.22
Patches
106c45940ba32Merge pull request from GHSA-5j2g-3ph4-rgvm
2 files changed · +1 −2
app/code/core/Mage/Core/Block/Abstract.php+1 −0 modified@@ -852,6 +852,7 @@ public function getChildGroup($groupName, $callback = null, $skipEmptyResults = $alias = $block->getBlockAlias(); if (in_array($alias, $this->_childGroups[$groupName])) { if ($callback) { + Mage::helper('core/security')->validateAgainstBlockMethodBlacklist($this, $callback, [$alias]); $row = $this->$callback($alias); if (!$skipEmptyResults || $row) { $result[$alias] = $row;
app/code/core/Mage/Core/Helper/Security.php+0 −2 modified@@ -28,8 +28,6 @@ class Mage_Core_Helper_Security { private $invalidBlockActions = [ - // explicitly not using class constant here Mage_Page_Block_Html_Topmenu_Renderer::class - // if the class does not exists it breaks. ['block' => Mage_Page_Block_Html_Topmenu_Renderer::class, 'method' => 'render'], ['block' => Mage_Core_Block_Template::class, 'method' => 'fetchView'], ];
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-5j2g-3ph4-rgvmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41144ghsaADVISORY
- github.com/OpenMage/magento-lts/commit/06c45940ba3256cdfc9feea12a3c0ca56d23acf8ghsax_refsource_MISCWEB
- github.com/OpenMage/magento-lts/releases/tag/v19.4.22ghsax_refsource_MISCWEB
- github.com/OpenMage/magento-lts/releases/tag/v20.0.19ghsax_refsource_MISCWEB
- github.com/OpenMage/magento-lts/security/advisories/GHSA-5j2g-3ph4-rgvmghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.