Description
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the `add address` step they can inject a value to run in admin view. The issue can lead to remote code execution. Version 2.3.10 contains a patch.
Published: 2026-01-02
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a server‑side template injection (SSTI) that can be triggered by a normal customer during the "add address" step of a product order. By supplying crafted input, the attacker can cause the application to execute arbitrary code within the context of the Bagisto admin interface. This allows compromise of the server, data exfiltration, and further lateral movement. The weakness is identified as CWE‑1336, indicating that trusted template processing is incorrectly performed on untrusted input.

Affected Systems

The affected product is Bagisto, an open source Laravel eCommerce platform developed by Webkul. Versions earlier than 2.3.10 are vulnerable. Version 2.3.10 includes a patch that mitigates the injection vector by sanitizing or restricting template rendering in the add address flow.

Risk and Exploitability

The CVSS score of 8.9 marks the issue as high severity, while the EPSS score of less than 1% suggests that active exploitation is unlikely at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is inferred to be an unauthenticated or low‑privilege web user ordering a product, which enables injection of a malicious template payload that is executed on the server when rendered in an admin context.

Generated by OpenCVE AI on April 18, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Bagisto patch 2.3.10 or later to eliminate the SSTI flaw.
  • Restrict or sanitize template rendering for the add address flow to prevent untrusted input from being processed.
  • Implement a web application firewall (WAF) rule set that blocks known SSTI payload patterns and monitors for suspicious admin view activity.

Generated by OpenCVE AI on April 18, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5j4h-4f72-qpm6 Bagisto has Normal & Blind SSTI from low-privilege user when ordering product
History

Thu, 08 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:webkul:bagisto:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Webkul
Webkul bagisto
Vendors & Products Webkul
Webkul bagisto

Fri, 02 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 02 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
Description Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the `add address` step they can inject a value to run in admin view. The issue can lead to remote code execution. Version 2.3.10 contains a patch.
Title Bagisto has Normal & Blind SSTI from low-privilege user when ordering product
Weaknesses CWE-1336
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Webkul Bagisto
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-02T21:29:34.047Z

Reserved: 2025-12-29T03:00:29.277Z

Link: CVE-2026-21448

cve-icon Vulnrichment

Updated: 2026-01-02T21:29:30.264Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-02T21:15:59.053

Modified: 2026-01-08T21:22:34.810

Link: CVE-2026-21448

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:30:08Z

Weaknesses