Which versions of Bagisto are affected by EUVD-2026-35036?

Bagisto v2.4.1, a widely-deployed open-source e-commerce platform, contains an unauthenticated arbitrary file read vulnerability that allows attackers to extract sensitive files including database…

How to fix or mitigate EUVD-2026-35036?

24 hours: Identify and inventory all Bagisto 2.4.1 instances in production and development; document data sensitivity and customer exposure. 7 days: Implement compensating controls including network-based access restrictions to ImageCacheController endpoints and WAF rules blocking path traversal patterns (../ and URL-encoded variants). 30 days: Execute upgrade path to latest Bagisto release when patches become available; if urgency requires sooner mitigation, evaluate disabling image cache functionality or transitioning to alternative e-commerce platform with security-hardened image handling.

Bagisto EUVD-2026-35036

Q: What is the CVSS score of EUVD-2026-35036?

EUVD-2026-35036 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

| CVE-2026-9506 HIGH

Path Traversal (CWE-22)

2026-06-08 CERT-In

GHSA-qhcg-rw5x-vg94

Path Traversal Bagisto

8.7

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

8.7 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Jun 08, 2026 - 12:30 vuln.today

CVSS changed

Jun 08, 2026 - 10:22 NVD

8.7 (HIGH)

DescriptionCVE.org

This vulnerability exists in Bagisto due to improper validation of user-supplied input in the ImageCacheController component. An unauthenticated remote attacker could exploit this vulnerability by sending crafted path traversal sequences through the filename parameter to access arbitrary files outside the intended directory on the targeted system.

Successful exploitation of this vulnerability could allow an attacker to read arbitrary sensitive files on the targeted system.

AnalysisAI

Arbitrary file read in Bagisto v2.4.1 allows unauthenticated remote attackers to retrieve sensitive files outside the web root by injecting path traversal sequences into the filename parameter of the ImageCacheController. The CVSS 4.0 base score of 8.7 reflects network-reachable, no-privilege, no-interaction exploitation with high confidentiality impact, and no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify exposed Bagisto storefront

Delivery

Craft filename with ../ traversal

Exploit

Send GET to ImageCacheController

Execution

Server returns out-of-scope file

Impact

Harvest .env secrets and credentials