Webkul Bagisto

22 CVEs affecting Webkul Bagisto. Latest disclosed: 2026-06-08. Critical: 3, High: 9.

Top CVEs affecting Webkul Bagisto
CVESeverityScorePublishedSummary
CVE-2026-21450Critical9.82026-01-02Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can l…
CVE-2026-21448Critical9.82026-01-02Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders…
CVE-2026-21446Critical9.82026-01-02Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation i…
CVE-2026-21449High8.82026-01-02Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name fr…
CVE-2023-36237High8.82024-02-26Cross Site Request Forgery vulnerability in Bagisto before v.1.5.1 allows an attacker to execute arbitrary code via a crafted HTML script.
CVE-2023-33570High8.82023-06-28Bagisto v1.5.1 is vulnerable to Server-Side Template Injection (SSTI).
CVE-2019-16403High8.82019-09-18In Webkul Bagisto before 0.1.5, the functionalities for customers to change their own values (such as address, review, orders, etc.) can also be manipulated by…
CVE-2019-14933High8.82019-08-11Bagisto 0.1.5 allows CSRF under /admin URIs.
CVE-2026-21451High8.42026-01-02Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto prior to version 2.3.10 within the CM…
CVE-2025-60880High8.32025-10-10An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file co…
CVE-2025-62417High7.82025-10-16Bagisto is an open source laravel eCommerce platform. When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepte…
CVE-2026-21447High7.12026-01-02Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder…
CVE-2025-62418Medium6.92025-10-16Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (…
CVE-2025-62415Medium6.92025-10-16Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (…
CVE-2025-62414Medium6.92025-10-16Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to Cross-Site Scr…
CVE-2025-56426Medium6.52025-10-09An issue WebKul Bagisto v.2.3.6 allows a remote attacker to execute arbitrary code via the Cart/Checkout API endpoint, specifically, the price calculation logi…
CVE-2023-36238Medium6.52024-03-13Insecure Direct Object Reference (IDOR) in Bagisto v.1.5.1 allows an attacker to obtain sensitive information via the invoice ID parameter.
CVE-2024-27499Medium6.52024-03-01Bagisto v1.5.1 is vulnerable for Cross site scripting(XSS) via png file upload vulnerability in product review option.
CVE-2025-40675Medium6.12025-06-09A Reflected Cross-Site Scripting (XSS) vulnerability has been found in Bagisto v2.0.0. This vulnerability allows an attacker to execute JavaScript code in the…
CVE-2025-62416Medium5.12025-10-16Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being…