CVE-2026-21450 — Bagisto SSTI vulnerability in type parameter can lead to RCE

Description

### Summary SSTI is possible in Bagisto via type parameter can lead to RCE and other exploitations. ### Details 1. Go to `http://127.0.0.1:8000/admin/reporting/products/view?type={{7*7}}` <img width="1251" height="282" alt="image" src="https://github.com/user-attachments/assets/652e96f4-631e-4322-8561-63f4d897a480" /> ### Impact Can lead to RCE, command injection.

How to fix CVE-2026-21450

To remediate CVE-2026-21450, upgrade the affected package to a fixed version below.

Packagist/bagisto/bagisto—upgrade to 2.3.10 or later

Is CVE-2026-21450 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.3.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-21450
PATCHgithub.com/bagisto/bagisto
WEBgithub.com/bagisto/bagisto/commit/3f294b4837595929107d9c1bbd6d5b1222ef9fea
WEBgithub.com/bagisto/bagisto/releases/tag/v2.3.10