CVE-2026-42458

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the Magento Long Term Support (LTS) admin panel under System -> Import/Export -> Dataflow - Profiles [1]. The vulnerability occurs because user-supplied input in the filename parameter is not properly sanitized before being reflected in HTML output. Versions prior to 20.18.0 are affected [1][3].

Exploitation

An attacker must first convince an authenticated admin user to access a specially crafted URL. The attacker can craft a URL with malicious JavaScript in the filename parameter, such as https://demo-admin.example.com/index.php/admin/system_convert_gui/run/id/6/key/.../files/%3CScRiPt%20%3Eprompt(document.cookie)%3C%2FScRiPt%3E [3]. When the admin visits the URL, the script executes in the context of the admin's session [3][4].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the admin's browser. This can lead to cookie theft, session hijacking, and UI defacement [3][4]. The attacker could perform administrative actions on behalf of the victim, given the script runs in the admin panel context.

Mitigation

The vulnerability is fixed in version 20.18.0 [1][3]. As a workaround, administrators should ensure they are running the latest version. No other mitigations are documented.