bagisto/bagisto Security Advisories for v1.4.2 (11)
-
[HIGH] Bagisto is vulnerable to SSTI via name parameters provided by non-admin low-privilege users
PKSA-xfmk-zmw2-3qhw CVE-2026-21449 GHSA-mqhg-v22x-pqj8
Affected version: <2.3.10
Reported by:
GitHub -
[HIGH] Bagisto has IDOR in Customer Order Reorder Functionality
PKSA-jq1s-445j-c4rw CVE-2026-21447 GHSA-x5rw-qvvp-5cgm
Affected version: <2.3.10
Reported by:
GitHub -
[HIGH] Bagisto has Normal & Blind SSTI from low-privilege user when ordering product
PKSA-td46-kz3d-nfhj CVE-2026-21448 GHSA-5j4h-4f72-qpm6
Affected version: <2.3.10
Reported by:
GitHub -
[HIGH] Bagisto SSTI vulnerability in type parameter can lead to RCE
PKSA-fhhx-v12v-v3yr CVE-2026-21450 GHSA-9hvg-qw5q-wqwp
Affected version: <2.3.10
Reported by:
GitHub -
[MEDIUM] Bagisto has HTML Filter Bypass that Enables Stored XSS
PKSA-441j-tpq7-k5ms CVE-2026-21451 GHSA-2mwc-h2mg-v6p8
Affected version: <2.3.10
Reported by:
GitHub -
[MEDIUM] bagisto has Cross Site Scripting (XSS) in Create New Customer
PKSA-9w6g-8v1f-df8w CVE-2025-62414 GHSA-r9xj-mvqf-jm7w
Affected version: <=2.3.7
Reported by:
GitHub -
[CRITICAL] bagisto has CSV Formula Injection in Create New Product
PKSA-25zg-f27r-886n CVE-2025-62417 GHSA-jqrp-58fv-w8cq
Affected version: <=2.3.7
Reported by:
GitHub -
[MEDIUM] bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)
PKSA-29h4-8qhb-8hq4 CVE-2025-62418 GHSA-fg89-g389-p346
Affected version: <=2.3.7
Reported by:
GitHub -
[MEDIUM] bagisto has Server Side Template Injection (SSTI) in Product Description
PKSA-tfym-n9wv-r1z9 CVE-2025-62416 GHSA-527q-4wqv-g9wj
Affected version: <=2.3.7
Reported by:
GitHub -
[MEDIUM] bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)
PKSA-wxrw-qyv9-p442 CVE-2025-62415 GHSA-67px-r26w-598x
Affected version: <=2.3.7
Reported by:
GitHub -
[MEDIUM] Bagist Cross-site Scripting vulnerability
PKSA-77rb-vgws-7fh6 CVE-2024-27499 GHSA-w5mx-334j-6fwv
Affected version: <2.1.0
Reported by:
GitHub