Moderate severityNVD Advisory· Published Oct 16, 2025· Updated Oct 17, 2025
bagisto - Server Side Template Injection (SSTI) in Product Description
CVE-2025-62416
Description
Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend — potentially leading to Remote Code Execution (RCE) on the server. This vulnerability is fixed in 2.3.8.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bagisto/bagistoPackagist | < 2.3.8 | 2.3.8 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-527q-4wqv-g9wjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-62416ghsaADVISORY
- github.com/bagisto/bagisto/security/advisories/GHSA-527q-4wqv-g9wjghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.