Medium severity6.3NVD Advisory· Published Apr 21, 2026· Updated Apr 29, 2026

CVE-2026-6744

Description

A vulnerability was found in Bagisto up to 2.3.15. Affected is the function copy of the component Downloadable Link Handler. The manipulation results in server-side request forgery. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure and explains: "We already replied on the github advisories. All the security issues are addressed through security advisory. We will fix this in our upcomming releases."

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
bagisto/bagistoPackagist	<= 2.3.15	—

Affected products

BagistoPWA/Bagistoinferred
Range: <=2.3.15

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-x3f9-vcp2-hgcwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-6744ghsaADVISORY
drive.google.com/file/d/1pVSN3BYjI_rUE2Jms5EcIBGSMdrq6Wql/viewnvdWEB
vuldb.com/submit/794680nvdWEB
vuldb.com/vuln/358435nvdWEB
vuldb.com/vuln/358435/ctinvdWEB

News mentions

No linked articles in our index yet.

cvss	0.410
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000