CVE-2026-21450 — Improper Neutralization of Special Elements Used in a Template Engine in Bagisto

CWE-1336 — Improper Neutralization of Special Elements Used in a Template Engine5 documents5 sources

Severity

7.3HIGHNVD

EPSS

0.7%

top 27.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bagisto Webkul Bagisto

Timeline

PublishedJan 2

Description

Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDwebkul/bagisto< 2.3.10

▶CVEListV5bagisto/bagisto< 2.3.10

▶Packagistbagisto/bagisto< 2.3.10

🔴Vulnerability Details

GHSA

Bagisto SSTI vulnerability in type parameter can lead to RCE↗2026-01-02

▶

OSV

Bagisto SSTI vulnerability in type parameter can lead to RCE↗2026-01-02

▶

CVEList

Bagisto has SSTI in parameter that can lead to RCE↗2026-01-02

▶

🕵️Threat Intelligence

Wiz

CVE-2026-21450 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶