GCVE - cpe:2.3:a:webkul:bagisto:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:webkul:bagisto:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Webkul (`08ad6940-8efb-5f93-af42-cb470e3ac46e`)
Product	Bagisto (`c027c149-cff7-5719-8b92-91afba0e0481`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:bitbucket/zaid1102/bagisto`	purl2cpe	2026-06-01 10:12:35.207161
`pkg:github/bagisto/bagisto`	purl2cpe	2026-06-01 10:12:35.207164

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-21451`	vulnerable	2026-06-08 07:49:16.400719	Bagisto has HTML Filter Bypass that Enables Stored XSS Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize `<script>` tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be stored in the CMS content and executed whenever the page is viewed or edited. This exposes administrators to a high-severity risk, including complete account takeover, backend hijacking, and malicious script execution. Version 2.3.10 fixes the issue. Published: 2026-01-02T20:37:06.795Z Updated: 2026-01-02T21:25:51.523Z Open on db.gcve.eu Reference links https://github.com/bagisto/bagisto/security/advisories/GHSA-2mwc-h2mg-v6p8	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-21450`	vulnerable	2026-06-08 07:49:16.400455	Bagisto has SSTI in parameter that can lead to RCE Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue. Published: 2026-01-02T20:38:48.544Z Updated: 2026-01-02T21:24:43.041Z Open on db.gcve.eu Reference links https://github.com/bagisto/bagisto/security/advisories/GHSA-9hvg-qw5q-wqwp	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-21449`	vulnerable	2026-06-08 07:49:16.400083	Bagisto has SSTI via first and last name from low-privilege user (not admin) Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name from a low-privilege user. Version 2.3.10 fixes the issue. Published: 2026-01-02T20:35:21.794Z Updated: 2026-01-02T21:27:39.053Z Open on db.gcve.eu Reference links https://github.com/bagisto/bagisto/security/advisories/GHSA-mqhg-v22x-pqj8	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-21448`	vulnerable	2026-06-08 07:49:16.399815	Bagisto has Normal & Blind SSTI from low-privilege user when ordering product Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the `add address` step they can inject a value to run in admin view. The issue can lead to remote code execution. Version 2.3.10 contains a patch. Published: 2026-01-02T20:18:08.519Z Updated: 2026-01-02T21:29:34.047Z Open on db.gcve.eu Reference links https://github.com/bagisto/bagisto/security/advisories/GHSA-5j4h-4f72-qpm6	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-21447`	vulnerable	2026-06-08 07:49:16.399523	Bagisto has IDOR in Customer Order Reorder Functionality HIGH (7.1) Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue. Published: 2026-01-02T20:15:11.750Z Updated: 2026-01-02T21:30:38.620Z Open on db.gcve.eu Reference links https://github.com/bagisto/bagisto/security/advisories/GHSA-x5rw-qvvp-5cgm https://github.com/bagisto/bagisto/commit/b2b1cf62577245d03a68532478cffbe321df74d3	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-21446`	vulnerable	2026-06-08 07:49:16.399158	db.gcve.eu details were skipped to keep the page responsive. Open on db.gcve.eu	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-40675`	vulnerable	2026-06-08 07:25:05.363903	db.gcve.eu details were skipped to keep the page responsive. Open on db.gcve.eu	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-36237`	vulnerable	2026-06-08 06:06:28.663124	db.gcve.eu details were skipped to keep the page responsive. Open on db.gcve.eu	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-36236`	vulnerable	2026-06-08 06:06:28.661907	db.gcve.eu details were skipped to keep the page responsive. Open on db.gcve.eu	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2019-16403`	vulnerable	2026-06-08 05:13:08.424917	db.gcve.eu details were skipped to keep the page responsive. Open on db.gcve.eu	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.