CVE-2026-6745 - Vulnerability Details

- Bagisto Custom Scripts cross site scripting

Description

A vulnerability was determined in Bagisto up to 2.3.15. Affected by this vulnerability is an unknown functionality of the component Custom Scripts Handler. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure and explains: "We already replied on the github advisories. All the security issues are addressed through security advisory. We will fix this in our upcomming releases."

Published: 2026-04-21

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Bagisto’s Custom Scripts Handler contains an XSS flaw that allows attackers to inject arbitrary user‑supplied script into pages rendered by the application. The flaw is classified as CWE‑79 and also involves a code injection path (CWE‑94). The vulnerability can be exploited remotely, as announced, giving the attacker the ability to run code in a victim’s browser when the vulnerable content is displayed. No explicit mention of authentication requirements is made in the description.

Affected Systems

All installations of Bagisto version 2.3.15 or earlier are affected. The advisory does not enumerate later releases, so any deployment that still includes the vulnerable Custom Scripts Handler before the vendor releases a fix remains at risk.

Risk and Exploitability

The CVSS score of 5.1 represents moderate severity. EPSS is unavailable, and the issue is not listed in CISA KEV, indicating no current widespread exploitation. The likely attack vector is a web‑based request to the Custom Scripts endpoint; this inference is made because the description states remote exploitation is possible, but the exact vector is not specified. Attackers could surface the injected script if a user views the affected page.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

Bagisto

affected

Version	Status	Constraints
`2.3.0`	affected	—
`2.3.1`	affected	—
`2.3.2`	affected	—
`2.3.3`	affected	—
`2.3.4`	affected	—
`2.3.5`	affected	—
`2.3.6`	affected	—
`2.3.7`	affected	—
`2.3.8`	affected	—
`2.3.9`	affected	—
`2.3.10`	affected	—
`2.3.11`	affected	—
`2.3.12`	affected	—
`2.3.13`	affected	—
`2.3.14`	affected	—
`2.3.15`	affected	—

No data.

Vendor Product Confidence Versions

Bagisto

85%

Version	Status	Scheme	Platform
`2.3.0`	affected	semver	—
`2.3.1`	affected	semver	—
`2.3.2`	affected	semver	—
`2.3.3`	affected	semver	—
`2.3.4`	affected	semver	—
`2.3.5`	affected	semver	—
`2.3.6`	affected	semver	—
`2.3.7`	affected	semver	—
`2.3.8`	affected	semver	—
`2.3.9`	affected	semver	—
`2.3.10`	affected	semver	—
`2.3.11`	affected	semver	—
`2.3.12`	affected	semver	—
`2.3.13`	affected	semver	—
`2.3.14`	affected	semver	—
`2.3.15`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Wait for and apply the vendor’s upcoming patch that addresses the Custom Scripts Handler vulnerability.
Until a fix is available, disable or remove the Custom Scripts feature to prevent user‑supplied scripts from being processed.
Deploy a web application firewall rule to deny suspicious input patterns targeting the Custom Scripts endpoint and monitor logs for attempts to inject scripts.

Generated by OpenCVE AI on April 22, 2026 at 06:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00029.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://drive.google.com/drive/folders/10p6SYcSVyfaaTg_dgItzMJvqixcmKnHR?usp=sharing
https://vuldb.com/submit/794681
https://vuldb.com/vuln/358436
https://vuldb.com/vuln/358436/cti

History

Wed, 22 Apr 2026 04:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Bagisto Bagisto bagisto
Vendors & Products		Bagisto Bagisto bagisto

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in Bagisto up to 2.3.15. Affected by this vulnerability is an unknown functionality of the component Custom Scripts Handler. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure and explains: "We already replied on the github advisories. All the security issues are addressed through security advisory. We will fix this in our upcomming releases."
Title		Bagisto Custom Scripts cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://drive.google.com/drive/folders/10p6SYcSVyfaaTg_dgItzMJvqixcmKnHR?usp=sharing https://vuldb.com/submit/794681 https://vuldb.com/vuln/358436 https://vuldb.com/vuln/358436/cti
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:C'}` cvssV3_0 `{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C'}` cvssV3_1 `{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Bagisto Bagisto

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-21T18:30:17.803Z

Updated: 2026-04-21T18:45:13.321Z

Reserved: 2026-04-21T12:04:02.182Z

Link: CVE-2026-6745

Vulnrichment

Updated: 2026-04-21T18:45:05.599Z

NVD

Status : Received

Published: 2026-04-21T19:16:18.917

Modified: 2026-04-21T19:16:18.917

Link: CVE-2026-6745

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T07:00:12Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object