CVE-2025-62418
published 2025-10-16CVE-2025-62418: Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges…
PriorityP424medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.26%
16.7th percentile
Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. This vulnerability is fixed in 2.3.8.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bagisto | bagisto | < 2.3.8 | 2.3.8 |
| bagisto | bagisto | >= 0 < 2.3.8 | 2.3.8 |
| webkul | bagisto | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)
ghsa·2025-10-16
CVE-2025-62418 [MEDIUM] CWE-79 bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)
bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)
### Summary
In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser.
### Details
The underlying problem is that SVG is XML/markup, so when it is uploaded and then directly rendered or embedded, script or event handlers within are allowed to run unless sanitized. In Bagisto, the integration of TinyMCE’s image upload (or media manager) may accept SVG files without sanitizing or rejecting unsafe content. When the SVG is later included (inline or via object/embed) in content displayed in admin or UI, the b
OSV
bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)
osv·2025-10-16
CVE-2025-62418 [MEDIUM] bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)
bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)
### Summary
In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser.
### Details
The underlying problem is that SVG is XML/markup, so when it is uploaded and then directly rendered or embedded, script or event handlers within are allowed to run unless sanitized. In Bagisto, the integration of TinyMCE’s image upload (or media manager) may accept SVG files without sanitizing or rejecting unsafe content. When the SVG is later included (inline or via object/embed) in content displayed in admin or UI, the b
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-10-16
Published