Is there a public PoC exploit available for CVE-2026-6745?

Yes, a public proof-of-concept exploit is available for CVE-2026-6745. Prioritise patching immediately. EPSS: 0.0%.

Bagisto CVE-2026-6745

Q: What is the CVSS score of CVE-2026-6745?

CVE-2026-6745 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-24243 LOW

Cross-site Scripting (XSS) (CWE-79)

2026-04-21 VulDB

GHSA-65fp-7g2v-658r

XSS Bagisto

2.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.0 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:12 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:12 NVD

5.1 (MEDIUM) 2.0 (LOW)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

Analysis Generated

Apr 21, 2026 - 19:47 vuln.today

Severity Changed

Apr 21, 2026 - 19:22 NVD

LOW MEDIUM

CVSS changed

Apr 21, 2026 - 19:22 NVD

3.5 (LOW) 5.1 (MEDIUM)

EUVD ID Assigned

Apr 21, 2026 - 19:00 euvd

EUVD-2026-24243

Analysis Generated

Apr 21, 2026 - 19:00 vuln.today

CVE Published

Apr 21, 2026 - 18:30 nvd

LOW 2.0

DescriptionCVE.org

A vulnerability was determined in Bagisto up to 2.3.15. Affected by this vulnerability is an unknown functionality of the component Custom Scripts Handler. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure and explains: "We already replied on the github advisories. All the security issues are addressed through security advisory. We will fix this in our upcomming releases."

AnalysisAI

Stored cross-site scripting (XSS) in Bagisto up to version 2.3.15 allows authenticated attackers to inject malicious scripts via the Custom Scripts Handler component, which are then executed in the browsers of other users with user-interaction. The vulnerability has publicly available exploit code and affects the integrity of user sessions. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Gain legitimate or compromised admin credentials

Delivery

Access Custom Scripts Handler component

Exploit

Inject malicious JavaScript into script field

Install

Store malicious script

Victim visits page executing custom script

Execute

Browser executes injected code

Impact

Session token/credential theft or unauthorized action performed