Moderate severityOSV Advisory· Published Jan 2, 2026· Updated Jan 2, 2026

Bagisto has HTML Filter Bypass that Enables Stored XSS

CVE-2026-21451

Description

Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize <script> tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be stored in the CMS content and executed whenever the page is viewed or edited. This exposes administrators to a high-severity risk, including complete account takeover, backend hijacking, and malicious script execution. Version 2.3.10 fixes the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
bagisto/bagistoPackagist	< 2.3.10	2.3.10

Affected products

Bagisto/BagistoOSV
Range: 1.4.0, v0.1.0, v0.1.1, …

Patches

f533b1cd9c80

fix(security): sanitize review attachments to prevent stored XSS

https://github.com/bagisto/bagistoshivam singhDec 24, 2025via ghsa

commit

1 file changed · +12 −3

packages/Webkul/Product/src/Repositories/ProductReviewAttachmentRepository.php+12 −3 modified

@@ -3,11 +3,14 @@
 namespace Webkul\Product\Repositories;
 
 use Webkul\Core\Eloquent\Repository;
+use Webkul\Core\Traits\Sanitizer;
 use Webkul\Product\Contracts\ProductReview;
 use Webkul\Product\Contracts\ProductReviewAttachment;
 
 class ProductReviewAttachmentRepository extends Repository
 {
+    use Sanitizer;
+
     /**
      * Specify model class name.
      */
@@ -22,13 +25,19 @@ public function model(): string
     public function upload(array $attachments, ProductReview $review): void
     {
         foreach ($attachments as $attachment) {
-            $fileType = explode('/', $attachment->getMimeType());
+            $mimeType = $attachment->getMimeType();
+
+            $fileType = explode('/', $mimeType);
+
+            $path = $attachment->store('review/'.$review->id);
+
+            $this->sanitizeSVG($path, $mimeType);
 
             $this->create([
-                'path'      => $attachment->store('review/'.$review->id),
+                'path'      => $path,
                 'review_id' => $review->id,
                 'type'      => $fileType[0],
-                'mime_type' => $fileType[1],
+                'mime_type' => $fileType[1] ?? null,
             ]);
         }
     }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-2mwc-h2mg-v6p8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-21451ghsaADVISORY
github.com/bagisto/bagisto/commit/f533b1cd9c80896792da60976179c95573d78b79ghsaWEB
github.com/bagisto/bagisto/releases/tag/v2.3.10ghsaWEB
github.com/bagisto/bagisto/security/advisories/GHSA-2mwc-h2mg-v6p8ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000