CVE-2025-60880 — Cross-site Scripting in Bagisto

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

8.3HIGHNVD

EPSS

0.0%

top 97.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bagisto Webkul Bagisto

Timeline

PublishedOct 10

Description

An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:HExploitability: 1.7 | Impact: 6.0

Affected Packages2 packages

▶Packagistbagisto/bagisto2.3.6 — 2.3.7

▶NVDwebkul/bagisto2.3.6

🔴Vulnerability Details

GHSA

Bagisto is vulnerable to XSS through Admin Panel's product creation path↗2025-10-10

▶

OSV

Bagisto is vulnerable to XSS through Admin Panel's product creation path↗2025-10-10

▶

CVEList

CVE-2025-60880: An authenticated stored XSS vulnerability exists in the Bagisto 2↗2025-10-10

▶