cbcvebase.
CVE-2026-21446
published 2026-01-02

CVE-2026-21446: Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.58%
43.5th percentile
Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
bagistobagisto
bagistobagisto>= 2.3.0 < 2.3.102.3.10
webkulbagisto>= 2.3.0 < 2.3.102.3.10

Detection & IOCsextracted from sources · hover to see the quote

url/install/api/*
  • Monitor for unauthenticated HTTP requests to /install/api/* endpoints on Bagisto instances, especially POST requests that may attempt to create admin accounts or modify application configuration.
  • Alert on any access to /install/api/* routes on Bagisto 2.3.x installations that have already completed setup, as these routes should not be reachable post-installation.
  • Investigate unexpected admin account creation or application configuration changes on Bagisto 2.3.x (prior to 2.3.10) as potential indicators of exploitation.
  • ·No authentication is required to exploit this vulnerability; the attack surface is exposed to any network-level attacker who can reach the Bagisto web interface.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.