CVE-2026-42207: Magento LTS Vulnerable to Open Redirect via Unvalidated `uenc` Parameter in `stockAction()`

May 5, 2026

Mage_ProductAlert_AddController::stockAction() reads the uenc query parameter and passes it directly to $this->_redirectUrl($backUrl) without calling $this->_isUrlInternal() When the supplied product_id does not match any catalog product, the server issues an unvalidated HTTP 302 redirect to whatever URL was provided as uenc.

References

github.com/OpenMage/magento-lts
github.com/OpenMage/magento-lts/security/advisories/GHSA-qpgq-5g92-j5q8
github.com/advisories/GHSA-qpgq-5g92-j5q8
nvd.nist.gov/vuln/detail/CVE-2026-42207

Code Behaviors & Features

Detect and mitigate CVE-2026-42207 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →