GCVE - cpe:2.3:a:webkul:bagisto:2.3.7:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:webkul:bagisto:2.3.7:*:*:*:*:*:*:*

part: a version: 2.3.7 update: *

Vendor	Webkul (`08ad6940-8efb-5f93-af42-cb470e3ac46e`)
Product	Bagisto (`c027c149-cff7-5719-8b92-91afba0e0481`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:bitbucket/zaid1102/bagisto`	purl2cpe	2026-06-01 10:12:35.207322
`pkg:github/bagisto/bagisto`	purl2cpe	2026-06-01 10:12:35.207323

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-62418`	vulnerable	2026-06-08 07:37:29.644566	bagisto - Cross Site Scripting (XSS) in TinyMCE Image Upload (SVG) MEDIUM (6.9) Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. This vulnerability is fixed in 2.3.8. Published: 2025-10-16T18:35:06.105Z Updated: 2025-10-17T14:31:21.920Z Open on db.gcve.eu Reference links https://github.com/bagisto/bagisto/security/advisories/GHSA-fg89-g389-p346	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-62417`	vulnerable	2026-06-08 07:37:29.644286	bagisto - CSV Formula Injection in Create New Product Bagisto is an open source laravel eCommerce platform. When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as a formula. This allows an attacker to supply a CSV field (e.g., product name) that contains a formula which may be evaluated by a victim’s spreadsheet application — potentially leading to data exfiltration and remote command execution (via older Excel exploits / OLE/cmd constructs or Excel macros). This vulnerability is fixed in 2.3.8. Published: 2025-10-16T18:32:45.964Z Updated: 2025-10-17T14:32:48.820Z Open on db.gcve.eu Reference links https://github.com/bagisto/bagisto/security/advisories/GHSA-jqrp-58fv-w8cq	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-62416`	vulnerable	2026-06-08 07:37:29.643848	bagisto - Server Side Template Injection (SSTI) in Product Description MEDIUM (5.1) Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend — potentially leading to Remote Code Execution (RCE) on the server. This vulnerability is fixed in 2.3.8. Published: 2025-10-16T18:32:55.776Z Updated: 2025-10-17T14:32:21.309Z Open on db.gcve.eu Reference links https://github.com/bagisto/bagisto/security/advisories/GHSA-527q-4wqv-g9wj	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-62415`	vulnerable	2026-06-08 07:37:29.643387	bagisto - Cross Site Scripting (XSS) in TinyMCE Image Upload (HTML) MEDIUM (6.9) Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. This vulnerability is fixed in 2.3.8. Published: 2025-10-16T18:36:51.842Z Updated: 2025-10-17T14:30:51.605Z Open on db.gcve.eu Reference links https://github.com/bagisto/bagisto/security/advisories/GHSA-67px-r26w-598x	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-62414`	vulnerable	2026-06-08 07:37:29.642998	bagisto - Cross Site Scripting (XSS) in Create New Customer MEDIUM (6.9) Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to Cross-Site Scripting (XSS). An attacker with access to the admin create-customer form can inject malicious JavaScript payloads into certain input fields. These payloads may later execute in the context of an admin’s browser or another user viewing the customer data, enabling session theft or admin-level actions. This vulnerability is fixed in 2.3.8. Published: 2025-10-16T18:33:03.900Z Updated: 2025-10-17T14:31:54.961Z Open on db.gcve.eu Reference links https://github.com/bagisto/bagisto/security/advisories/GHSA-r9xj-mvqf-jm7w	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.