What is the CVSS score of CVE-2026-21450?

CVE-2026-21450 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.7%.

Which versions of Laravel are affected by CVE-2026-21450?

Organizations using Bagisto face critical risk from CVE-2026-21450 rated CVSS 9.8.. A patch is available.

How to fix or mitigate CVE-2026-21450?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability.

Laravel CVE-2026-21450

CRITICAL

Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)

2026-01-02 security-advisories@github.com

GHSA-9hvg-qw5q-wqwp

Laravel RCE Bagisto

9.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Jan 02, 2026 - 21:16 nvd

CRITICAL 9.8

DescriptionGitHub Advisory

Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue.

AnalysisAI

Bagisto before 2.3.10 has a second server-side template injection vulnerability, this time via the type parameter. Like CVE-2026-21448, this enables remote code execution through the Blade template engine. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send HTTP request with malicious type parameter

Exploit

Inject server-side template syntax

Execution

Execute arbitrary code on server

Impact

Achieve remote code execution

Access

Send HTTP request with malicious type parameter

Exploit

Inject server-side template syntax

Execution

Execute arbitrary code on server

Impact

Achieve remote code execution

Vulnerability AssessmentAI

Exploitation	No special conditions — remote unauthenticated exploitation against Bagisto versions prior to 2.3.10 with the type parameter endpoint exposed to network requests. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.8 (Critical). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker crafts a request with a malicious type parameter containing Blade syntax that executes system commands on the server.
Remediation	Update to Bagisto 2.3.10 to fix both SSTI vulnerabilities (CVE-2026-21448 and CVE-2026-21450). Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all affected systems and apply vendor patches immediately. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-21450 vulnerability details – vuln.today

Back

Laravel CVE-2026-21450

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code