Webkul Bagisto vulnerabilities

CVE-2026-21446 [HIGH] CWE-306 CVE-2026-21446: Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the AP

CVE-2026-21447 [HIGH] CWE-284 CVE-2026-21447: Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Ob Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase informati

CVE-2026-21448 [HIGH] CWE-1336 CVE-2026-21448: Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to ser Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the `add address` step they can inject a value to run in admin view. The issue can lead to remote code execution. Version 2.3.10 contains a patch.

CVE-2026-21449 [HIGH] CWE-1336 CVE-2026-21449: Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to ser Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name from a low-privilege user. Version 2.3.10 fixes the issue.

CVE-2026-21450 [HIGH] CWE-1336 CVE-2026-21450: Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to ser Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue.

CVE-2026-21451 [MEDIUM] CWE-79 CVE-2026-21451: Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting (XSS) vulnerabil Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize `` tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary Jav

CVE-2025-62417 [HIGH] CWE-1236 CVE-2025-62417: Bagisto is an open source laravel eCommerce platform. When product data that begins with a spreadshe Bagisto is an open source laravel eCommerce platform. When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as a formula. This allows an attacker to supply a CSV field (e.g., product

CVE-2025-62418 [MEDIUM] CWE-80 CVE-2025-62418: Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload fu Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. This vulnerability is fixed in 2.3.

CVE-2025-62416 [MEDIUM] CWE-94 CVE-2025-62416: Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Te Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are e

CVE-2025-62415 [MEDIUM] CWE-80 CVE-2025-62415: Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload fu Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. This vulnerability is fixed in 2.3

CVE-2025-62414 [MEDIUM] CWE-80 CVE-2025-62414: Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the “Create New Customer” f Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to Cross-Site Scripting (XSS). An attacker with access to the admin create-customer form can inject malicious JavaScript payloads into certain input fields. These payloads may later execute in the context of an

CVE-2025-60880 [HIGH] CWE-79 CVE-2025-60880: An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, da

CVE-2025-56426 [MEDIUM] CWE-77 CVE-2025-56426: An issue WebKul Bagisto v.2.3.6 allows a remote attacker to execute arbitrary code via the Cart/Chec An issue WebKul Bagisto v.2.3.6 allows a remote attacker to execute arbitrary code via the Cart/Checkout API endpoint, specifically, the price calculation logic fails to validate quantity inputs properly.

CVE-2025-40675 [MEDIUM] CWE-79 CVE-2025-40675: A Reflected Cross-Site Scripting (XSS) vulnerability has been found in Bagisto v2.0.0. This vulnerab A Reflected Cross-Site Scripting (XSS) vulnerability has been found in Bagisto v2.0.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the parameter 'query' in '/search'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to

CVE-2023-36238 [MEDIUM] CWE-639 CVE-2023-36238: Insecure Direct Object Reference (IDOR) in Bagisto v.1.5.1 allows an attacker to obtain sensitive in Insecure Direct Object Reference (IDOR) in Bagisto v.1.5.1 allows an attacker to obtain sensitive information via the invoice ID parameter.

CVE-2024-27499 [MEDIUM] CWE-79 CVE-2024-27499: Bagisto v1.5.1 is vulnerable for Cross site scripting(XSS) via png file upload vulnerability in prod Bagisto v1.5.1 is vulnerable for Cross site scripting(XSS) via png file upload vulnerability in product review option.

CVE-2023-36237 [HIGH] CWE-352 CVE-2023-36237: Cross Site Request Forgery vulnerability in Bagisto before v.1.5.1 allows an attacker to execute arb Cross Site Request Forgery vulnerability in Bagisto before v.1.5.1 allows an attacker to execute arbitrary code via a crafted HTML script.

CVE-2023-36236 [MEDIUM] CWE-79 CVE-2023-36236: Cross Site Scripting vulnerability in webkil Bagisto v.1.5.0 and before allows an attacker to execut Cross Site Scripting vulnerability in webkil Bagisto v.1.5.0 and before allows an attacker to execute arbitrary code via a crafted SVG file uplad.

CVE-2023-33570 [HIGH] CWE-94 CVE-2023-33570: Bagisto v1.5.1 is vulnerable to Server-Side Template Injection (SSTI). Bagisto v1.5.1 is vulnerable to Server-Side Template Injection (SSTI).

CVE-2019-16403 [HIGH] CWE-639 CVE-2019-16403: In Webkul Bagisto before 0.1.5, the functionalities for customers to change their own values (such a In Webkul Bagisto before 0.1.5, the functionalities for customers to change their own values (such as address, review, orders, etc.) can also be manipulated by other customers.