Security Advisories - bagisto/bagisto

bagisto/bagisto Security Advisories for v0.1.4 (16)

[HIGH] Bagisto is vulnerable to SSTI via name parameters provided by non-admin low-privilege users

PKSA-xfmk-zmw2-3qhw CVE-2026-21449 GHSA-mqhg-v22x-pqj8

Affected version: <2.3.10

Reported by:
GitHub
[HIGH] Bagisto has IDOR in Customer Order Reorder Functionality

PKSA-jq1s-445j-c4rw CVE-2026-21447 GHSA-x5rw-qvvp-5cgm

Affected version: <2.3.10

Reported by:
GitHub
[HIGH] Bagisto has Normal & Blind SSTI from low-privilege user when ordering product

PKSA-td46-kz3d-nfhj CVE-2026-21448 GHSA-5j4h-4f72-qpm6

Affected version: <2.3.10

Reported by:
GitHub
[HIGH] Bagisto SSTI vulnerability in type parameter can lead to RCE

PKSA-fhhx-v12v-v3yr CVE-2026-21450 GHSA-9hvg-qw5q-wqwp

Affected version: <2.3.10

Reported by:
GitHub
[MEDIUM] Bagisto has HTML Filter Bypass that Enables Stored XSS

PKSA-441j-tpq7-k5ms CVE-2026-21451 GHSA-2mwc-h2mg-v6p8

Affected version: <2.3.10

Reported by:
GitHub
[MEDIUM] bagisto has Cross Site Scripting (XSS) in Create New Customer

PKSA-9w6g-8v1f-df8w CVE-2025-62414 GHSA-r9xj-mvqf-jm7w

Affected version: <=2.3.7

Reported by:
GitHub
[CRITICAL] bagisto has CSV Formula Injection in Create New Product

PKSA-25zg-f27r-886n CVE-2025-62417 GHSA-jqrp-58fv-w8cq

Affected version: <=2.3.7

Reported by:
GitHub
[MEDIUM] bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)

PKSA-29h4-8qhb-8hq4 CVE-2025-62418 GHSA-fg89-g389-p346

Affected version: <=2.3.7

Reported by:
GitHub
[MEDIUM] bagisto has Server Side Template Injection (SSTI) in Product Description

PKSA-tfym-n9wv-r1z9 CVE-2025-62416 GHSA-527q-4wqv-g9wj

Affected version: <=2.3.7

Reported by:
GitHub
[MEDIUM] bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)

PKSA-wxrw-qyv9-p442 CVE-2025-62415 GHSA-67px-r26w-598x

Affected version: <=2.3.7

Reported by:
GitHub
[MEDIUM] Bagisto vulnerable to Insecure Direct Object Reference (IDOR)

PKSA-wb8p-jgfr-t7k3 CVE-2023-36238 GHSA-pmc7-hmmw-g96q

Affected version: <1.3.2

Reported by:
GitHub
[MEDIUM] Bagist Cross-site Scripting vulnerability

PKSA-77rb-vgws-7fh6 CVE-2024-27499 GHSA-w5mx-334j-6fwv

Affected version: <2.1.0

Reported by:
GitHub
[HIGH] Bagisto Cross-Site Request Forgery vulnerability

PKSA-w4jp-j8db-3n21 CVE-2023-36237 GHSA-7p7q-fjfw-v3gf

Affected version: <1.3.2

Reported by:
GitHub
[MEDIUM] Cross-site Scripting in Bagisto

PKSA-8qxk-cvft-wh5z CVE-2023-36236 GHSA-c962-g533-823f

Affected version: <1.3.2

Reported by:
GitHub
[HIGH] Bagisto CSRF Vulnerability

PKSA-snz4-ktkv-sv86 CVE-2019-14933 GHSA-pgwp-f3xh-m24g

Affected version: <0.1.5

Reported by:
GitHub
[MEDIUM] Authorization Bypass Through User-Controlled Key in Bagisto

PKSA-m35w-k2t4-s1nv CVE-2019-16403 GHSA-pwrf-q7h8-jjr7

Affected version: <0.1.5

Reported by:
GitHub

bagisto/bagisto Security Advisories for v0.1.4 (16)

[HIGH] Bagisto is vulnerable to SSTI via name parameters provided by non-admin low-privilege users

[HIGH] Bagisto has IDOR in Customer Order Reorder Functionality

[HIGH] Bagisto has Normal & Blind SSTI from low-privilege user when ordering product

[HIGH] Bagisto SSTI vulnerability in type parameter can lead to RCE

[MEDIUM] Bagisto has HTML Filter Bypass that Enables Stored XSS

[MEDIUM] bagisto has Cross Site Scripting (XSS) in Create New Customer

[CRITICAL] bagisto has CSV Formula Injection in Create New Product

[MEDIUM] bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)

[MEDIUM] bagisto has Server Side Template Injection (SSTI) in Product Description

[MEDIUM] bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)

[MEDIUM] Bagisto vulnerable to Insecure Direct Object Reference (IDOR)

[MEDIUM] Bagist Cross-site Scripting vulnerability

[HIGH] Bagisto Cross-Site Request Forgery vulnerability

[MEDIUM] Cross-site Scripting in Bagisto

[HIGH] Bagisto CSRF Vulnerability

[MEDIUM] Authorization Bypass Through User-Controlled Key in Bagisto