CVE-2025-64174
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-64174, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-06

Last updated on: 2026-02-04

Assigner: GitHub, Inc.

Description

Magento-lts is a long-term support alternative to Magento Community Edition (CE). Versions 20.15.0 and below are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin with direct database access or the admin notification feed source to inject malicious scripts into vulnerable fields. Unescaped translation strings and URLs are printed into contexts inside app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Actions.php. A malicious translation or polluted data can inject script. This issue is fixed in version 20.16.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-06
Last Modified
2026-02-04
Generated
2026-07-06
AI Q&A
2025-11-06
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
openmage magento to 20.16.0 (inc)
openmage magento_lts 20.15.0
openmage magento_lts 20.16.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a stored Cross-Site Scripting (XSS) issue in Magento-lts versions 20.15.0 and below. It allows an admin with direct database access or access to the admin notification feed source to inject malicious scripts into vulnerable fields. The problem arises because unescaped translation strings and URLs are printed in certain parts of the admin interface, which can lead to script injection if the data is maliciously crafted. This vulnerability is fixed in version 20.16.0.

Impact Analysis

This vulnerability can allow an attacker with admin database access or control over the admin notification feed to inject malicious scripts into the Magento-lts admin interface. This could lead to unauthorized actions being performed in the admin panel, potential theft of sensitive information, or further compromise of the system through script execution in the context of the admin user.

Mitigation Strategies

Upgrade Magento-lts to version 20.16.0 or later, as this version contains the fix for the stored Cross-Site Scripting (XSS) vulnerability. Additionally, restrict admin access to trusted users only and avoid using untrusted data in admin notification feeds or translation strings until the upgrade is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64174. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart