High severityOSV Advisory· Published Jan 2, 2026· Updated Jan 2, 2026
Bagisto has IDOR in Customer Order Reorder Functionality
CVE-2026-21447
Description
Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bagisto/bagistoPackagist | < 2.3.10 | 2.3.10 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-x5rw-qvvp-5cgmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-21447ghsaADVISORY
- github.com/bagisto/bagisto/commit/b2b1cf62577245d03a68532478cffbe321df74d3ghsax_refsource_MISCWEB
- github.com/bagisto/bagisto/security/advisories/GHSA-x5rw-qvvp-5cgmghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.