CRITICAL9.8CVE-2026-21448Bagisto has Normal & Blind SSTI from low-privilege user when ordering product from 0, < 2.3.10
CRITICAL9.8CVE-2026-21446Bagisto Missing Authentication on Installer API Endpoints >= 2.3.0, < 2.3.10
CRITICAL9.0bagisto has CSV Formula Injection in Create New Product
from 0, < 2.3.8
HIGH8.8Bagisto is vulnerable to SSTI via name parameters provided by non-admin low-privilege users
from 0, < 2.3.10
HIGH8.8Bagisto Cross-Site Request Forgery vulnerability
from 0, < 1.3.2
HIGH8.8Bagisto CSRF Vulnerability
from 0, < 0.1.5
HIGH8.8Authorization Bypass Through User-Controlled Key in Bagisto
from 0, < 0.1.5
HIGH8.3Bagisto is vulnerable to XSS through Admin Panel's product creation path
>= 2.3.6, < 2.3.7
HIGH7.1Bagisto has IDOR in Customer Order Reorder Functionality
from 0, < 2.3.10
MEDIUM6.9bagisto has Cross Site Scripting (XSS) in Create New Customer
from 0, < 2.3.8
MEDIUM6.9bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)
from 0, < 2.3.8
MEDIUM6.9bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)
from 0, < 2.3.8
MEDIUM6.5Bagisto vulnerable to Insecure Direct Object Reference (IDOR)
from 0, < 1.3.2
MEDIUM6.5Bagist Cross-site Scripting vulnerability
from 0, < 2.1.0
MEDIUM6.3Bagisto affected by Server-Side Request Forgery
from 0, <= 2.3.15
MEDIUM5.1bagisto has Server Side Template Injection (SSTI) in Product Description
from 0, < 2.3.8
MEDIUM4.8Cross-site Scripting in Bagisto
from 0, < 1.3.2
LOW3.5Bagisto affected by Cross-site Scripting
from 0, <= 2.3.15
—Bagisto SSTI vulnerability in type parameter can lead to RCE
from 0, < 2.3.10
—Bagisto has HTML Filter Bypass that Enables Stored XSS
from 0, < 2.3.10