Bagisto
Monthly
Arbitrary file read in Bagisto v2.4.1 allows unauthenticated remote attackers to retrieve sensitive files outside the web root by injecting path traversal sequences into the filename parameter of the ImageCacheController. The CVSS 4.0 base score of 8.7 reflects network-reachable, no-privilege, no-interaction exploitation with high confidentiality impact, and no public exploit identified at time of analysis.
Stored cross-site scripting (XSS) in Bagisto up to version 2.3.15 allows authenticated attackers to inject malicious scripts via the Custom Scripts Handler component, which are then executed in the browsers of other users with user-interaction. The vulnerability has publicly available exploit code and affects the integrity of user sessions. Vendor has acknowledged the issue and committed to fixes in upcoming releases but no patched version has been released at time of analysis.
Server-side request forgery in Bagisto's Downloadable Link Handler component (versions up to 2.3.15) allows authenticated remote attackers to perform arbitrary HTTP requests on behalf of the server, potentially enabling access to internal resources, metadata services, or information disclosure. The vulnerability has publicly available exploit code and affects the copy function with low-to-moderate CVSS score (5.3) but concrete real-world impact if internal services are exposed. Vendor acknowledges the issue and states fixes are coming in upcoming releases.
Stored XSS in Bagisto's CMS page editor allows authenticated attackers to bypass input sanitization by crafting malicious HTTP requests, enabling persistent JavaScript injection that executes when administrators view or edit pages. Public exploit code exists for this vulnerability, creating high-risk scenarios including admin account compromise and backend system hijacking. Bagisto versions prior to 2.3.10 are affected, and no patch is currently available for the underlying Laravel platform.
Bagisto before 2.3.10 has a second server-side template injection vulnerability, this time via the type parameter. Like CVE-2026-21448, this enables remote code execution through the Blade template engine. Patch available in 2.3.10.
Bagisto eCommerce platform versions before 2.3.10 suffer from server-side template injection through user-controllable first and last name fields, allowing low-privilege authenticated users to achieve remote code execution. This high-severity vulnerability (CVSS 8.8) affects confidentiality, integrity, and availability with public exploit code available and no patch currently deployed. Organizations running affected Bagisto instances should immediately upgrade to version 2.3.10 or later.
Bagisto eCommerce platform before 2.3.10 is vulnerable to server-side template injection (SSTI) through customer address fields during checkout. A normal customer can inject Blade template code that executes when viewed in the admin panel, achieving RCE. PoC available.
Bagisto is an open source laravel eCommerce platform. [CVSS 7.1 HIGH]
Bagisto eCommerce platform (2.3 branch before 2.3.10) leaves installation API routes active after setup, allowing unauthenticated attackers to re-run the installer and take full control of the store including database credentials and admin account. PoC available.
A Reflected Cross-Site Scripting (XSS) vulnerability has been found in Bagisto v2.0.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the parameter 'query' in '/search'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
Arbitrary file read in Bagisto v2.4.1 allows unauthenticated remote attackers to retrieve sensitive files outside the web root by injecting path traversal sequences into the filename parameter of the ImageCacheController. The CVSS 4.0 base score of 8.7 reflects network-reachable, no-privilege, no-interaction exploitation with high confidentiality impact, and no public exploit identified at time of analysis.
Stored cross-site scripting (XSS) in Bagisto up to version 2.3.15 allows authenticated attackers to inject malicious scripts via the Custom Scripts Handler component, which are then executed in the browsers of other users with user-interaction. The vulnerability has publicly available exploit code and affects the integrity of user sessions. Vendor has acknowledged the issue and committed to fixes in upcoming releases but no patched version has been released at time of analysis.
Server-side request forgery in Bagisto's Downloadable Link Handler component (versions up to 2.3.15) allows authenticated remote attackers to perform arbitrary HTTP requests on behalf of the server, potentially enabling access to internal resources, metadata services, or information disclosure. The vulnerability has publicly available exploit code and affects the copy function with low-to-moderate CVSS score (5.3) but concrete real-world impact if internal services are exposed. Vendor acknowledges the issue and states fixes are coming in upcoming releases.
Stored XSS in Bagisto's CMS page editor allows authenticated attackers to bypass input sanitization by crafting malicious HTTP requests, enabling persistent JavaScript injection that executes when administrators view or edit pages. Public exploit code exists for this vulnerability, creating high-risk scenarios including admin account compromise and backend system hijacking. Bagisto versions prior to 2.3.10 are affected, and no patch is currently available for the underlying Laravel platform.
Bagisto before 2.3.10 has a second server-side template injection vulnerability, this time via the type parameter. Like CVE-2026-21448, this enables remote code execution through the Blade template engine. Patch available in 2.3.10.
Bagisto eCommerce platform versions before 2.3.10 suffer from server-side template injection through user-controllable first and last name fields, allowing low-privilege authenticated users to achieve remote code execution. This high-severity vulnerability (CVSS 8.8) affects confidentiality, integrity, and availability with public exploit code available and no patch currently deployed. Organizations running affected Bagisto instances should immediately upgrade to version 2.3.10 or later.
Bagisto eCommerce platform before 2.3.10 is vulnerable to server-side template injection (SSTI) through customer address fields during checkout. A normal customer can inject Blade template code that executes when viewed in the admin panel, achieving RCE. PoC available.
Bagisto is an open source laravel eCommerce platform. [CVSS 7.1 HIGH]
Bagisto eCommerce platform (2.3 branch before 2.3.10) leaves installation API routes active after setup, allowing unauthenticated attackers to re-run the installer and take full control of the store including database credentials and admin account. PoC available.
A Reflected Cross-Site Scripting (XSS) vulnerability has been found in Bagisto v2.0.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the parameter 'query' in '/search'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.