CVE-2026-6744 - Vulnerability Details

- Bagisto Downloadable Link copy server-side request forgery

Description

A vulnerability was found in Bagisto up to 2.3.15. Affected is the function copy of the component Downloadable Link Handler. The manipulation results in server-side request forgery. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure and explains: "We already replied on the github advisories. All the security issues are addressed through security advisory. We will fix this in our upcomming releases."

Published: 2026-04-21

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A server‑side request forgery vulnerability exists in Bagisto versions up to 2.3.15. The flaw is triggered by manipulating the copy operation in the Downloadable Link handler, allowing an attacker to cause the application server to issue HTTP requests to arbitrary URLs. This can be exploited remotely to reach internal or external resources, potentially leaking sensitive data or facilitating further attacks. The weakness corresponds to CWE‑918.

Affected Systems

All installations of Bagisto version 2.3.15 or earlier are affected. The vendor has indicated that the issue will be addressed in forthcoming releases, but no patch version is listed in the data provided.

Risk and Exploitability

The CVSS score of 5.3 places the vulnerability in the medium severity range, and the EPSS score is not available, suggesting limited publicly observed exploitation. The vulnerability is not listed in the CISA KEV package, and the attack vector is inferred to be remote, with the attacker needing only to send crafted requests to the copy endpoint to trigger the SSRF.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

Bagisto

affected

Version	Status	Constraints
`2.3.0`	affected	—
`2.3.1`	affected	—
`2.3.2`	affected	—
`2.3.3`	affected	—
`2.3.4`	affected	—
`2.3.5`	affected	—
`2.3.6`	affected	—
`2.3.7`	affected	—
`2.3.8`	affected	—
`2.3.9`	affected	—
`2.3.10`	affected	—
`2.3.11`	affected	—
`2.3.12`	affected	—
`2.3.13`	affected	—
`2.3.14`	affected	—
`2.3.15`	affected	—

No data.

Vendor Product Confidence Versions

Bagisto

80%

Version	Status	Scheme	Platform
`2.3.0`	affected	semver	—
`2.3.1`	affected	semver	—
`2.3.2`	affected	semver	—
`2.3.3`	affected	semver	—
`2.3.4`	affected	semver	—
`2.3.5`	affected	semver	—
`2.3.6`	affected	semver	—
`2.3.7`	affected	semver	—
`2.3.8`	affected	semver	—
`2.3.9`	affected	semver	—
`2.3.10`	affected	semver	—
`2.3.11`	affected	semver	—
`2.3.12`	affected	semver	—
`2.3.13`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Bagisto to a version that includes the fix for the copy‑handler SSRF vulnerability
If immediate upgrade is not feasible, restrict application outbound HTTP traffic by configuring the network firewall or application gateway to allow only known safe destinations, thereby blocking unauthorized SSRF actions
Enable logging and alerting on the copy endpoint to detect anomalous external requests or failures, and review logs periodically for evidence of exploitation

Generated by OpenCVE AI on April 22, 2026 at 07:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00034.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://drive.google.com/file/d/1pVSN3BYjI_rUE2Jms5EcIBGSMdrq6Wql/view?usp=sharing
https://vuldb.com/submit/794680
https://vuldb.com/vuln/358435
https://vuldb.com/vuln/358435/cti

History

Wed, 22 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 05:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Bagisto Bagisto bagisto
Vendors & Products		Bagisto Bagisto bagisto

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in Bagisto up to 2.3.15. Affected is the function copy of the component Downloadable Link Handler. The manipulation results in server-side request forgery. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure and explains: "We already replied on the github advisories. All the security issues are addressed through security advisory. We will fix this in our upcomming releases."
Title		Bagisto Downloadable Link copy server-side request forgery
Weaknesses		CWE-918
References		https://drive.google.com/file/d/1pVSN3BYjI_rUE2Jms5EcIBGSMdrq6Wql/view?usp=sharing https://vuldb.com/submit/794680 https://vuldb.com/vuln/358435 https://vuldb.com/vuln/358435/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Bagisto Bagisto

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-21T18:00:17.506Z

Updated: 2026-04-22T13:27:41.715Z

Reserved: 2026-04-21T12:03:58.906Z

Link: CVE-2026-6744

Vulnrichment

Updated: 2026-04-22T13:27:32.799Z

NVD

Status : Received

Published: 2026-04-21T19:16:18.727

Modified: 2026-04-21T19:16:18.727

Link: CVE-2026-6744

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T07:30:11Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object