High severityOSV Advisory· Published Jan 2, 2026· Updated Jan 2, 2026
Bagisto has SSTI in parameter that can lead to RCE
CVE-2026-21450
Description
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bagisto/bagistoPackagist | < 2.3.10 | 2.3.10 |
Affected products
1Patches
13f294b483759Fixed SSTI isssue in parameter of reporting
4 files changed · +20 −12
packages/Webkul/Admin/src/Http/Controllers/Reporting/Controller.php+17 −3 modified@@ -30,7 +30,7 @@ public function __construct(protected ReportingHelper $reportingHelper) {} */ public function stats() { - $stats = $this->reportingHelper->{$this->typeFunctions[request()->query('type')]}(); + $stats = $this->reportingHelper->{$this->resolveTypeFunction()}(); return response()->json([ 'statistics' => $stats, @@ -45,7 +45,7 @@ public function stats() */ public function viewStats() { - $stats = $this->reportingHelper->{$this->typeFunctions[request()->query('type')]}('table'); + $stats = $this->reportingHelper->{$this->resolveTypeFunction()}('table'); return response()->json([ 'statistics' => $stats, @@ -60,8 +60,22 @@ public function viewStats() */ public function export() { - $stats = $this->reportingHelper->{$this->typeFunctions[request()->query('type')]}('table'); + $stats = $this->reportingHelper->{$this->resolveTypeFunction()}('table'); return Excel::download(new ReportingExport($stats), request()->query('type').'.'.request()->query('format')); } + + /** + * Resolve the requested type into a valid function name. + * + * @return string + */ + protected function resolveTypeFunction() + { + if (! array_key_exists(request()->query('type'), $this->typeFunctions)) { + abort(404); + } + + return $this->typeFunctions[request()->query('type')]; + } }
packages/Webkul/Admin/src/Http/Controllers/Reporting/CustomerController.php+1 −3 modified@@ -38,9 +38,7 @@ public function index() */ public function view() { - if (! array_key_exists(request()->query('type'), $this->typeFunctions)) { - abort(404); - } + $this->resolveTypeFunction(); return view('admin::reporting.view')->with([ 'entity' => 'customers',
packages/Webkul/Admin/src/Http/Controllers/Reporting/ProductController.php+1 −3 modified@@ -40,9 +40,7 @@ public function index() */ public function view() { - if (! array_key_exists(request()->query('type'), $this->typeFunctions)) { - abort(404); - } + $this->resolveTypeFunction(); return view('admin::reporting.view')->with([ 'entity' => 'products',
packages/Webkul/Admin/src/Http/Controllers/Reporting/SaleController.php+1 −3 modified@@ -41,9 +41,7 @@ public function index() */ public function view() { - if (! array_key_exists(request()->query('type'), $this->typeFunctions)) { - abort(404); - } + $this->resolveTypeFunction(); return view('admin::reporting.view')->with([ 'entity' => 'sales',
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-9hvg-qw5q-wqwpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-21450ghsaADVISORY
- github.com/bagisto/bagisto/commit/3f294b4837595929107d9c1bbd6d5b1222ef9feaghsaWEB
- github.com/bagisto/bagisto/releases/tag/v2.3.10ghsaWEB
- github.com/bagisto/bagisto/security/advisories/GHSA-9hvg-qw5q-wqwpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.