CVE-2025-62416 — Code Injection in Bagisto

CWE-94 — Code Injection CWE-1336 — Improper Neutralization of Special Elements Used in a Template Engine4 documents4 sources

Severity

6.8MEDIUMNVD

CNA5.1

EPSS

0.2%

top 62.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bagisto Webkul Bagisto

Timeline

PublishedOct 16

Description

Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend — potentially leading to Remote Code Execution (RCE) on the server. This vulnerability is fixed in 2.3.8.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:HExploitability: 0.9 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5bagisto/bagisto< 2.3.8

▶Packagistbagisto/bagisto< 2.3.8

▶NVDwebkul/bagisto2.3.7

🔴Vulnerability Details

OSV

bagisto has Server Side Template Injection (SSTI) in Product Description↗2025-10-16

▶

CVEList

bagisto - Server Side Template Injection (SSTI) in Product Description↗2025-10-16

▶

GHSA

bagisto has Server Side Template Injection (SSTI) in Product Description↗2025-10-16

▶