{"id":"CVE-2021-21426","details":"Magento-lts is a long-term support alternative to Magento Community Edition (CE). In magento-lts versions 19.4.12 and prior and 20.0.8 and prior, there is a vulnerability caused by the unsecured deserialization of an object. A patch in versions 19.4.13 and 20.0.9 was back ported from Zend Framework 3. The vulnerability was assigned CVE-2021-3007 in Zend Framework.","aliases":["GHSA-m496-x567-f98c"],"modified":"2026-04-10T04:29:39.529685Z","published":"2021-04-21T21:15:07.960Z","related":["GHSA-m496-x567-f98c"],"references":[{"type":"ADVISORY","url":"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-m496-x567-f98c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openmage/magento-lts","events":[{"introduced":"0"},{"fixed":"f71321b37a782bd167ef56de0c6e18e67645685d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"19.4.13"}]}}],"versions":["1.1.1","1.1.2","1.1.3","1.1.4","1.1.5","1.1.6","1.1.7","1.1.8","1.2.0","1.2.0.1","1.2.0.2","1.2.0.3","1.2.1","1.2.1.2","1.3.0","1.3.1","1.3.1.1","1.3.2","1.3.2.1","1.3.2.2","1.3.2.3","1.3.2.4","1.4.0.0","1.4.0.0-alpha1","1.4.0.0-alpha2","1.4.0.0-alpha3","1.4.0.0-beta1","1.4.0.0-rc1","1.4.0.1","1.4.1.0","1.4.1.1","1.4.2.0","1.5.0.0","1.5.0.0-alpha1","1.5.0.0-alpha2","1.5.0.0-beta1","1.5.0.0-beta2","1.5.0.0-rc1","1.5.0.0-rc2","1.5.0.1","1.5.1.0","1.6.0.0","1.6.0.0-alpha1","1.6.0.0-beta1","1.6.0.0-rc1","1.6.0.0-rc2","1.6.1.0","1.7.0.0","1.7.0.1","1.7.0.2","1.8.1.0","1.9.0.0","1.9.0.1","1.9.1.0-lts","1.9.1.1","v19.4.0","v19.4.1","v19.4.10","v19.4.11","v19.4.12","v19.4.2","v19.4.3","v19.4.4","v19.4.5","v19.4.6","v19.4.7","v19.4.8","v19.4.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21426.json","unresolved_ranges":[{"events":[{"introduced":"20.0.0"},{"fixed":"20.0.9"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}