VYPR
Vendor

Bagisto

Products
1
CVEs
19
Across products
19
Status
Private

Products

1

Recent CVEs

19
  • CVE-2026-9506HigJun 8, 2026
    risk 0.57cvss epss 0.00

    This vulnerability exists in Bagisto due to improper validation of user-supplied input in the ImageCacheController component. An unauthenticated remote attacker could exploit this vulnerability by sending crafted path traversal sequences through the filename parameter to access…

  • CVE-2026-21450Jan 2, 2026
    risk 0.00cvss epss 0.01

    Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue.

  • CVE-2026-21451Jan 2, 2026
    risk 0.00cvss epss 0.00

    Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize `` tags, the filtering can be bypassed by…

  • CVE-2026-21449Jan 2, 2026
    risk 0.00cvss epss 0.00

    Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name from a low-privilege user. Version 2.3.10 fixes the issue.

  • CVE-2026-21448Jan 2, 2026
    risk 0.00cvss epss 0.01

    Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the `add address` step they can inject a value to run in admin view. The issue can lead to remote code…

  • CVE-2026-21447Jan 2, 2026
    risk 0.00cvss epss 0.00

    Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by…

  • CVE-2026-21446Jan 2, 2026
    risk 0.00cvss epss 0.01

    Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any…

  • CVE-2025-62415Oct 16, 2025
    risk 0.00cvss epss 0.00

    Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in…

  • CVE-2025-62418Oct 16, 2025
    risk 0.00cvss epss 0.00

    Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the…

  • CVE-2025-62414Oct 16, 2025
    risk 0.00cvss epss 0.00

    Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to Cross-Site Scripting (XSS). An attacker with access to the admin create-customer form can inject malicious JavaScript payloads…

  • CVE-2025-62416Oct 16, 2025
    risk 0.00cvss epss 0.00

    Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with…

  • CVE-2025-62417Oct 16, 2025
    risk 0.00cvss epss 0.00

    Bagisto is an open source laravel eCommerce platform. When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as…

  • CVE-2025-60880Oct 10, 2025
    risk 0.00cvss epss 0.00

    An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute…

  • CVE-2025-56426Oct 9, 2025
    risk 0.00cvss epss 0.00

    An issue WebKul Bagisto v.2.3.6 allows a remote attacker to execute arbitrary code via the Cart/Checkout API endpoint, specifically, the price calculation logic fails to validate quantity inputs properly.

  • CVE-2025-40675Jun 9, 2025
    risk 0.00cvss epss 0.00

    A Reflected Cross-Site Scripting (XSS) vulnerability has been found in Bagisto v2.0.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the parameter 'query' in '/search'. This vulnerability can…

  • CVE-2023-36238Mar 13, 2024
    risk 0.00cvss epss 0.01

    Insecure Direct Object Reference (IDOR) in Bagisto v.1.5.1 allows an attacker to obtain sensitive information via the invoice ID parameter.

  • CVE-2024-27499Mar 1, 2024
    risk 0.00cvss epss 0.01

    Bagisto v1.5.1 is vulnerable for Cross site scripting(XSS) via png file upload vulnerability in product review option.

  • CVE-2023-36237Feb 26, 2024
    risk 0.00cvss epss 0.00

    Cross Site Request Forgery vulnerability in Bagisto before v.1.5.1 allows an attacker to execute arbitrary code via a crafted HTML script.

  • CVE-2023-33570Jun 28, 2023
    risk 0.00cvss epss 0.01

    Bagisto v1.5.1 is vulnerable to Server-Side Template Injection (SSTI).