CVE-2026-21446
CRITICAL
GHSA-6h7w-v2xr-mqvw
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue.
Analysis
Bagisto eCommerce platform (2.3 branch before 2.3.10) leaves installation API routes active after setup, allowing unauthenticated attackers to re-run the installer and take full control of the store including database credentials and admin account. PoC available.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all affected systems running versions on the 2.3 branch and apply vendor patches immediately. Audit authentication configurations and rotate any potentially compromised credentials.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today