CVE-2025-60880 — Bagisto is vulnerable to XSS through Admin Panel's product creation path

Description

An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.

How to fix CVE-2025-60880

To remediate CVE-2025-60880, upgrade the affected package to a fixed version below.

—upgrade to 2.3.7 or later

Is CVE-2025-60880 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.3.6, < 2.3.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.3	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-60880
PATCHgithub.com/bagisto/bagisto
WEBgist.github.com/daman-preet-singh/cd431f4c30a585bb87d3c69e4a8eec98
WEBgithub.com/bagisto/bagisto/commit/9ec40c99c34a83f311ffbb7c1039a59ff9d655cc