Description
This vulnerability exists in Bagisto due to improper validation of user-supplied input in the ImageCacheController component. An unauthenticated remote attacker could exploit this vulnerability by sending crafted path traversal sequences through the filename parameter to access arbitrary files outside the intended directory on the targeted system.



Successful exploitation of this vulnerability could allow an attacker to read arbitrary sensitive files on the targeted system.
Published: 2026-06-08
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the ImageCacheController, where user‑provided filenames are not properly validated. An attacker can supply specially crafted path traversal sequences as the filename parameter, enabling unauthenticated remote access to files located outside the intended image directory. Authorized reading of arbitrary files such as configuration, credentials, or source code may result, compromising confidentiality and potentially facilitating further attacks.

Affected Systems

Webkul Bagisto version 2.4.1 is affected. The vulnerability is fixed in Bagisto v2.4.2 and later. No other versions have been reported as vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. Because the flaw is exploitable remotely without authentication, the attack surface is broad. The EPSS score is currently unavailable, and the vulnerability is not listed in CISA KEV, but the high CVSS suggests substantial risk. Exploitation requires sending a crafted HTTP request to the image cache endpoint with a filename containing traversal sequences; no additional privileges or network access restrictions are needed.

Generated by OpenCVE AI on June 8, 2026 at 11:21 UTC.

Remediation

Vendor Solution

Upgrade Bagisto to the patched version v2.4.2 or later. https://github.com/bagisto/bagisto/tree/v2.4.2

OpenCVE Recommended Actions

  • Upgrade Bagisto to v2.4.2 or later.
  • If upgrade is not immediately possible, block or restrict access to the ImageCacheController endpoint to prevent unauthenticated use.
  • Implement input validation or sanitization on the filename parameter to prevent path traversal, addressing the underlying CWE-22 weakness.

Generated by OpenCVE AI on June 8, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description This vulnerability exists in Bagisto due to improper validation of user-supplied input in the ImageCacheController component. An unauthenticated remote attacker could exploit this vulnerability by sending crafted path traversal sequences through the filename parameter to access arbitrary files outside the intended directory on the targeted system. Successful exploitation of this vulnerability could allow an attacker to read arbitrary sensitive files on the targeted system.
Title Path Traversal Vulnerability in Bagisto
First Time appeared Webkul
Webkul bagisto
Weaknesses CWE-22
CPEs cpe:2.3:a:webkul:bagisto:version_v2.4.1:*:*:*:*:*:*:*
Vendors & Products Webkul
Webkul bagisto
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Webkul Bagisto
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-In

Published:

Updated: 2026-06-08T10:27:47.044Z

Reserved: 2026-05-25T11:51:35.888Z

Link: CVE-2026-9506

cve-icon Vulnrichment

Updated: 2026-06-08T10:25:44.786Z

cve-icon NVD

Status : Deferred

Published: 2026-06-08T10:16:33.203

Modified: 2026-06-08T15:01:06.580

Link: CVE-2026-9506

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T13:00:14Z

Weaknesses