VYPR
Moderate severityNVD Advisory· Published Oct 16, 2025· Updated Oct 17, 2025

bagisto - Cross Site Scripting (XSS) in TinyMCE Image Upload (HTML)

CVE-2025-62415

Description

Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. This vulnerability is fixed in 2.3.8.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
bagisto/bagistoPackagist
< 2.3.82.3.8

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.

CVE-2025-62415 · moderate · VYPR