[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-42155":6},{"stargazers_count":4,"fetched_at":5},6,"2026-05-16T00:33:26.750Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":192,"aliases":193,"duplicate_of":9,"upstream":194,"downstream":195,"duplicates":196,"related":197,"reserved_at":9,"published_at":198,"modified_at":199,"state":200,"summary":201,"references_raw":208,"kevs":215,"epss":9,"epss_history":216,"metrics":217,"affected":224},"CVE-2026-42155","Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, the XML-RPC / SOAP API session ID is generated using an outdated, time-based construction rather than a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG). All inputs to the MD5 hash are time-derived and non-secure. Because the resulting digest relies entirely on the timestamp and the PHP internal LCG state, the effective entropy is severely constrained. This violates the OWASP ASVS v4 requirement of ≥ 64 bits of entropy (V3.2.2) and NIST SP 800-63B standards. By narrowing the LCG window (via server state leaks or general predictability) and leveraging the lack of API rate-limiting, an attacker can generate a localized pool of candidate MD5 hashes and execute a high-speed online brute-force attack to hijack active API sessions. This vulnerability is fixed in 20.18.0.",null,[11,177,186],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-330","Use of Insufficiently Random Values","The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.","weakness","Stable","Class","High",[20,145,173],{"id":21,"name":22,"techniques":23},"CAPEC-112","Brute Force",[24],{"id":25,"name":22,"tactics":26,"countermeasures":30},"T1110",[27],{"id":28,"name":29},"TA0031","Credential Access",[31,36,40,44,48,52,56,60,64,68,72,76,80,84,89,93,98,103,107,111,115,119,123,127,131,136,141],{"id":32,"name":33,"tactic":34},"D3-CCSA","Credential Compromise Scope Analysis",{"name":35},"Detect",{"id":37,"name":38,"tactic":39},"D3-AEM","Application Exception Monitoring",{"name":35},{"id":41,"name":42,"tactic":43},"D3-OPM","Operational Process Monitoring",{"name":35},{"id":45,"name":46,"tactic":47},"D3-UGLPA","User Geolocation Logon Pattern Analysis",{"name":35},{"id":49,"name":50,"tactic":51},"D3-PMAD","Protocol Metadata Anomaly Detection",{"name":35},{"id":53,"name":54,"tactic":55},"D3-CSPP","Client-server Payload Profiling",{"name":35},{"id":57,"name":58,"tactic":59},"D3-PHDURA","Per Host Download-Upload Ratio Analysis",{"name":35},{"id":61,"name":62,"tactic":63},"D3-NTSA","Network Traffic Signature Analysis",{"name":35},{"id":65,"name":66,"tactic":67},"D3-APCA","Application Protocol Command Analysis",{"name":35},{"id":69,"name":70,"tactic":71},"D3-NTCD","Network Traffic Community Deviation",{"name":35},{"id":73,"name":74,"tactic":75},"D3-RTSD","Remote Terminal Session Detection",{"name":35},{"id":77,"name":78,"tactic":79},"D3-CAA","Connection Attempt Analysis",{"name":35},{"id":81,"name":82,"tactic":83},"D3-ANAA","Administrative Network Activity Analysis",{"name":35},{"id":85,"name":86,"tactic":87},"D3-CR","Credential Revocation",{"name":88},"Evict",{"id":90,"name":91,"tactic":92},"D3-ANCI","Authentication Cache Invalidation",{"name":88},{"id":94,"name":95,"tactic":96},"D3-DUC","Decoy User Credential",{"name":97},"Deceive",{"id":99,"name":100,"tactic":101},"D3-CH","Credential Hardening",{"name":102},"Harden",{"id":104,"name":105,"tactic":106},"D3-MFA","Multi-factor Authentication",{"name":102},{"id":108,"name":109,"tactic":110},"D3-CRO","Credential Rotation",{"name":102},{"id":112,"name":113,"tactic":114},"D3-PR","Password Rotation",{"name":102},{"id":116,"name":117,"tactic":118},"D3-PWA","Password Authentication",{"name":102},{"id":120,"name":121,"tactic":122},"D3-CDP","Change Default Password",{"name":102},{"id":124,"name":125,"tactic":126},"D3-SPP","Strong Password Policy",{"name":102},{"id":128,"name":129,"tactic":130},"D3-OTP","One-time Password",{"name":102},{"id":132,"name":133,"tactic":134},"D3-RIC","Reissue Credential",{"name":135},"Restore",{"id":137,"name":138,"tactic":139},"D3-CTS","Credential Transmission Scoping",{"name":140},"Isolate",{"id":142,"name":143,"tactic":144},"D3-NTF","Network Traffic Filtering",{"name":140},{"id":146,"name":147,"techniques":148},"CAPEC-485","Signature Spoofing by Key Recreation",[149],{"id":150,"name":151,"tactics":152,"countermeasures":154},"T1552.004","Private Keys",[153],{"id":28,"name":29},[155,157,159,161,163,165,167,169,171],{"id":32,"name":33,"tactic":156},{"name":35},{"id":85,"name":86,"tactic":158},{"name":88},{"id":90,"name":91,"tactic":160},{"name":88},{"id":94,"name":95,"tactic":162},{"name":97},{"id":99,"name":100,"tactic":164},{"name":102},{"id":104,"name":105,"tactic":166},{"name":102},{"id":108,"name":109,"tactic":168},{"name":102},{"id":132,"name":133,"tactic":170},{"name":135},{"id":137,"name":138,"tactic":172},{"name":140},{"id":174,"name":175,"techniques":176},"CAPEC-59","Session Credential Falsification through Prediction",[],{"_key":178,"id":178,"name":179,"description":180,"type":15,"status":181,"abstraction":182,"likelihood_of_exploit":9,"capec":183},"CWE-331","Insufficient Entropy","The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.","Draft","Base",[184],{"id":174,"name":175,"techniques":185},[],{"_key":187,"id":187,"name":188,"description":189,"type":15,"status":181,"abstraction":182,"likelihood_of_exploit":190,"capec":191},"CWE-338","Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)","The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.","Medium",[],[],[],[],[],[],[],"2026-05-15T17:05:02.436Z","2026-05-15T17:36:27.793Z","Received",{"cisa_kev":202,"cisa_ransomware":202,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":203,"severity_score":204,"severity_version":205,"severity_source":206,"severity_vector":207,"severity_status":200},false,"critical",9.3,"v4.0","cve.org","CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",[209],{"url":210,"sources":211,"tags":213},"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-2cwr-gcf9-pvxr",[206,212],"nvd",[214],"X Refsource CONFIRM",[],[],[218,221],{"source":206,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":219},{"baseScore":204,"baseSeverity":220,"vectorString":207,"impactScore":9,"exploitabilityScore":9},"CRITICAL",{"source":212,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":222},{"baseScore":204,"baseSeverity":220,"vectorString":223,"impactScore":9,"exploitabilityScore":9},"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",[225],{"ecosystem":9,"name":226,"vendor":227,"product":226,"cpe_part":228,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":229},"magento-lts","openmage","a",[230],{"version":231,"is_range":232,"range_type":206,"version_start":9,"version_start_type":9,"version_end":233,"version_end_type":234,"fixed_in":9},"\u003C 20.18.0",true,"20.18.0","excluding"]