CVE-2025-64174: OpenMage vulnerable to XSS in Admin Notifications

November 3, 2025 (updated November 6, 2025)

OpenMage versions v20.15.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin with direct database access or the admin notification feed source to inject malicious scripts into vulnerable fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

References

github.com/OpenMage/magento-lts
github.com/OpenMage/magento-lts/commit/9d604f5489851c54a96fca31b0e13c414b0fb20a
github.com/OpenMage/magento-lts/security/advisories/GHSA-qv78-c8hc-438r
github.com/advisories/GHSA-qv78-c8hc-438r
nvd.nist.gov/vuln/detail/CVE-2025-64174

Code Behaviors & Features

Detect and mitigate CVE-2025-64174 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →