Webkul Bagisto
22 CVEs affecting Webkul Bagisto. Latest disclosed: 2026-06-08. Critical: 3, High: 9.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-21450 | Critical | 9.8 | 2026-01-02 | Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can l… |
CVE-2026-21448 | Critical | 9.8 | 2026-01-02 | Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders… |
CVE-2026-21446 | Critical | 9.8 | 2026-01-02 | Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation i… |
CVE-2026-21449 | High | 8.8 | 2026-01-02 | Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name fr… |
CVE-2023-36237 | High | 8.8 | 2024-02-26 | Cross Site Request Forgery vulnerability in Bagisto before v.1.5.1 allows an attacker to execute arbitrary code via a crafted HTML script. |
CVE-2023-33570 | High | 8.8 | 2023-06-28 | Bagisto v1.5.1 is vulnerable to Server-Side Template Injection (SSTI). |
CVE-2019-16403 | High | 8.8 | 2019-09-18 | In Webkul Bagisto before 0.1.5, the functionalities for customers to change their own values (such as address, review, orders, etc.) can also be manipulated by… |
CVE-2019-14933 | High | 8.8 | 2019-08-11 | Bagisto 0.1.5 allows CSRF under /admin URIs. |
CVE-2026-21451 | High | 8.4 | 2026-01-02 | Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto prior to version 2.3.10 within the CM… |
CVE-2025-60880 | High | 8.3 | 2025-10-10 | An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file co… |
CVE-2025-62417 | High | 7.8 | 2025-10-16 | Bagisto is an open source laravel eCommerce platform. When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepte… |
CVE-2026-21447 | High | 7.1 | 2026-01-02 | Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder… |
CVE-2025-62418 | Medium | 6.9 | 2025-10-16 | Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (… |
CVE-2025-62415 | Medium | 6.9 | 2025-10-16 | Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (… |
CVE-2025-62414 | Medium | 6.9 | 2025-10-16 | Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to Cross-Site Scr… |
CVE-2025-56426 | Medium | 6.5 | 2025-10-09 | An issue WebKul Bagisto v.2.3.6 allows a remote attacker to execute arbitrary code via the Cart/Checkout API endpoint, specifically, the price calculation logi… |
CVE-2023-36238 | Medium | 6.5 | 2024-03-13 | Insecure Direct Object Reference (IDOR) in Bagisto v.1.5.1 allows an attacker to obtain sensitive information via the invoice ID parameter. |
CVE-2024-27499 | Medium | 6.5 | 2024-03-01 | Bagisto v1.5.1 is vulnerable for Cross site scripting(XSS) via png file upload vulnerability in product review option. |
CVE-2025-40675 | Medium | 6.1 | 2025-06-09 | A Reflected Cross-Site Scripting (XSS) vulnerability has been found in Bagisto v2.0.0. This vulnerability allows an attacker to execute JavaScript code in the… |
CVE-2025-62416 | Medium | 5.1 | 2025-10-16 | Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being… |