EUVD-2026-35036
GHSA-qhcg-rw5x-vg94
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
This vulnerability exists in Bagisto due to improper validation of user-supplied input in the ImageCacheController component. An unauthenticated remote attacker could exploit this vulnerability by sending crafted path traversal sequences through the filename parameter to access arbitrary files outside the intended directory on the targeted system.
Successful exploitation of this vulnerability could allow an attacker to read arbitrary sensitive files on the targeted system.
AnalysisAI
Arbitrary file read in Bagisto v2.4.1 allows unauthenticated remote attackers to retrieve sensitive files outside the web root by injecting path traversal sequences into the filename parameter of the ImageCacheController. The CVSS 4.0 base score of 8.7 reflects network-reachable, no-privilege, no-interaction exploitation with high confidentiality impact, and no public exploit identified at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires only that a Bagisto v2.4.1 instance be network-reachable and serving the vulnerable ImageCacheController image endpoint, which is enabled in the default storefront configuration; no authentication, no user interaction, and no special privileges are needed (CVSS AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Risk is meaningful but bounded to confidentiality. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scans the internet for Bagisto storefronts, then issues an unauthenticated GET request to the ImageCacheController endpoint with a filename parameter such as '../../../../.env' or '../../../../etc/passwd'. The server returns the file contents, leaking the Laravel APP_KEY, database credentials, SMTP secrets, and payment gateway API keys, which the attacker uses to forge sessions, dump the customer database, or pivot deeper into the merchant's infrastructure. |
| Remediation | No vendor-released patch identified at time of analysis in the supplied data; operators should consult the CERT-In advisory (https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0292) and the Bagisto GitHub repository for a fixed release beyond v2.4.1 and upgrade once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify and inventory all Bagisto 2.4.1 instances in production and development; document data sensitivity and customer exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today