Description
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue.
Published: 2026-01-02
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Bagisto versions below 2.3.10 are vulnerable to Server‑Side Template Injection through the 'type' query parameter. An attacker who can supply a crafted value can cause the application to render arbitrary template code, which may lead to remote code execution or similar high‑impact consequences. The weakness is classified as View Layer Template Injection (CWE‑1336).

Affected Systems

The affected product is the Bagisto e‑commerce platform. All releases from the initial launch up through version 2.3.9 are impacted. The vulnerable code resides in the core application layer, and the issue was fixed in Bagisto 2.3.10.

Risk and Exploitability

The CVSS base score is 7.3, indicating a high severity. The EPSS score is less than 1 percent, suggesting a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack path requires an attacker to send a malicious request to the web application, most likely via HTTP. Successful exploitation also depends on the ability to inject and execute template code.

Generated by OpenCVE AI on April 18, 2026 at 08:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bagisto to version 2.3.10 or later.
  • If an upgrade cannot be applied immediately, neutralize or restrict the 'type' parameter in the affected endpoint, limiting it to a whitelist of allowed values.
  • Limit access to the area of the application that processes the 'type' parameter to trusted administrators only.

Generated by OpenCVE AI on April 18, 2026 at 08:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9hvg-qw5q-wqwp Bagisto SSTI vulnerability in type parameter can lead to RCE
History

Thu, 08 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:webkul:bagisto:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Webkul
Webkul bagisto
Vendors & Products Webkul
Webkul bagisto

Fri, 02 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 02 Jan 2026 21:00:00 +0000

Type Values Removed Values Added
Description Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue.
Title Bagisto has SSTI in parameter that can lead to RCE
Weaknesses CWE-1336
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Webkul Bagisto
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-02T21:24:43.041Z

Reserved: 2025-12-29T03:00:29.277Z

Link: CVE-2026-21450

cve-icon Vulnrichment

Updated: 2026-01-02T21:24:29.721Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-02T21:16:02.797

Modified: 2026-01-08T21:20:38.707

Link: CVE-2026-21450

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:30:35Z

Weaknesses