exploitDog

CVE-2026-21448

Опубликовано: 02 янв. 2026

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the add address step they can inject a value to run in admin view. The issue can lead to remote code execution. Version 2.3.10 contains a patch.

Ссылки

https://github.com/bagisto/bagisto/security/advisories/GHSA-5j4h-4f72-qpm6
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:webkul:bagisto:*:*:*:*:*:*:*:*

Версия до 2.3.10 (исключая)

EPSS

Процентиль: 57%

0.00358

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-1336

Связанные уязвимости

GHSA-5j4h-4f72-qpm6

CVSS3: 9.8

github

около 1 месяца назад

Bagisto has Normal & Blind SSTI from low-privilege user when ordering product

EPSS

Процентиль: 57%

0.00358

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-1336