[GHSA-pgj4-g5j4-cmfx] cart2quote/module-quotation-encoded Remote Code Execution via downloadCustomOptionAction#8423
Open
sBatao wants to merge 1 commit into
Conversation
Copilot stopped work on behalf of
sBatao due to an error
June 30, 2026 11:14
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updates
Comments
We would like to request a review of advisory GHSA-pgj4-g5j4-cmfx affecting the package cart2quote/module-quotation-encoded.
The vulnerability described in the advisory appears to relate to the legacy Magento 1 implementation of Cart2Quote. The advisory references Magento 1 file paths such as:
app/code/community/Ophirah/...
However, the Composer package cart2quote/module-quotation-encoded is a Magento 2 package, and these Magento 1 files are not present in the affected package versions.
As a result, the advisory appears to associate a Magento 1 vulnerability with Magento 2 package versions that do not contain the vulnerable code. The issue described in the advisory is therefore not applicable to the current Magento 2 codebase.
We kindly request that the advisory be reviewed and, if appropriate:
Remove the affected Magento 2 package association.
Correct the affected version ranges.
Withdraw the advisory if it does not apply to the package.
We are happy to provide additional information or code references if needed.
Thank you for your time and consideration.