[MEDIUM] Magento's X-Original-Url header can expose admin url

PKSA-nz6n-ckcm-yb2x CVE-2026-25523 GHSA-jg68-vhv3-9r8f

Affected package: openmage/magento-lts

Affected version: <20.16.1

Reported by:
GitHub