High severityOSV Advisory· Published Jan 2, 2026· Updated Jan 2, 2026

Bagisto has SSTI via first and last name from low-privilege user (not admin)

CVE-2026-21449

Description

Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name from a low-privilege user. Version 2.3.10 fixes the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
bagisto/bagistoPackagist	< 2.3.10	2.3.10

Affected products

Bagisto/BagistoOSV
Range: 1.4.0, v0.1.0, v0.1.1, …

Patches

4144931da001

Merge pull request #11062 from shivamwebkul/fix/customer-profile-ssti

https://github.com/bagisto/bagistoDevanshDec 23, 2025via ghsa

commit

1 file changed · +14 −10

packages/Webkul/Shop/src/Resources/views/customers/account/profile/index.blade.php+14 −10 modified

@@ -15,15 +15,15 @@
         <x-shop::layouts.account.navigation />
     </div>
 
-    <div class="mx-4 flex-auto max-md:mx-6 max-sm:mx-4">
+    <div class="flex-auto mx-4 max-md:mx-6 max-sm:mx-4">
         <div class="flex items-center justify-between">
             <div class="flex items-center">
                 <!-- Back Button -->
                 <a
                     class="grid md:hidden"
                     href="{{ route('shop.customers.account.index') }}"
                 >
-                    <span class="icon-arrow-left rtl:icon-arrow-right text-2xl"></span>
+                    <span class="text-2xl icon-arrow-left rtl:icon-arrow-right"></span>
                 </a>
 
                 <h2 class="text-2xl font-medium max-md:text-xl max-sm:text-base ltr:ml-2.5 md:ltr:ml-0 rtl:mr-2.5 md:rtl:mr-0">
@@ -44,16 +44,18 @@ class="secondary-button border-zinc-200 px-5 py-3 font-normal max-md:rounded-lg
         </div>
 
         <!-- Profile Information -->
-        <div class="mt-8 grid grid-cols-1 gap-y-6 max-md:mt-5 max-sm:gap-y-4">
+        <div class="grid grid-cols-1 mt-8 gap-y-6 max-md:mt-5 max-sm:gap-y-4">
             {!! view_render_event('bagisto.shop.customers.account.profile.first_name.before') !!}
 
             <div class="grid w-full grid-cols-[2fr_3fr] border-b border-zinc-200 px-8 py-3 max-md:px-0">
                 <p class="text-sm font-medium">
                     @lang('shop::app.customers.account.profile.index.first-name')
                 </p>
 
-                <p class="text-sm font-medium text-zinc-500">
-                    {{ $customer->first_name }}
+                <p 
+                    class="text-sm font-medium text-zinc-500"
+                    v-text="'{{ $customer->first_name }}'"
+                >
                 </p>
             </div>
 
@@ -66,8 +68,10 @@ class="secondary-button border-zinc-200 px-5 py-3 font-normal max-md:rounded-lg
                     @lang('shop::app.customers.account.profile.index.last-name')
                 </p>
 
-                <p class="text-sm font-medium text-zinc-500">
-                    {{ $customer->last_name }}
+                <p 
+                    class="text-sm font-medium text-zinc-500"
+                    v-text="'{{ $customer->last_name }}'"
+                >
                 </p>
             </div>
 
@@ -108,7 +112,7 @@ class="secondary-button border-zinc-200 px-5 py-3 font-normal max-md:rounded-lg
                     @lang('shop::app.customers.account.profile.index.email')
                 </p>
 
-                <p class="text-sm font-medium text-zinc-500 no-underline">
+                <p class="text-sm font-medium no-underline text-zinc-500">
                     {{ $customer->email }}
                 </p>
             </div>
@@ -121,7 +125,7 @@ class="secondary-button border-zinc-200 px-5 py-3 font-normal max-md:rounded-lg
             <x-shop::form action="{{ route('shop.customers.account.profile.destroy') }}">
                 <x-shop::modal>
                     <x-slot:toggle>
-                        <div class="primary-button rounded-2xl px-11 py-3 max-md:hidden max-md:rounded-lg">
+                        <div class="py-3 primary-button rounded-2xl px-11 max-md:hidden max-md:rounded-lg">
                             @lang('shop::app.customers.account.profile.index.delete-profile')
                         </div>
 
@@ -157,7 +161,7 @@ class="text-left"
                     <x-slot:footer>
                         <button
                             type="submit"
-                            class="primary-button flex rounded-2xl px-11 py-3 max-md:rounded-lg max-md:px-6 max-md:text-sm"
+                            class="flex py-3 primary-button rounded-2xl px-11 max-md:rounded-lg max-md:px-6 max-md:text-sm"
                         >
                             @lang('shop::app.customers.account.profile.index.delete')
                         </button>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-mqhg-v22x-pqj8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-21449ghsaADVISORY
github.com/bagisto/bagisto/commit/4144931da0014c696f9126132ce44d7cfbdb2761ghsaWEB
github.com/bagisto/bagisto/releases/tag/v2.3.10ghsaWEB
github.com/bagisto/bagisto/security/advisories/GHSA-mqhg-v22x-pqj8ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000