Bagisto/bagisto

This hub aggregates every CVE we track for Bagisto/bagisto, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

OSS Libraries

CVEs tracked

Critical

High

In CISA KEV

Severity distribution

HIGH8MEDIUM7CRITICAL3

Monthly trend

2024-072026-06

Latest CVEs

See all →

The 15 most recently published vulnerabilities affecting Bagisto/bagisto.

CVE-2026-21450Bagisto has SSTI in parameter that can lead to RCE9.8Jan 2, 2026
CVE-2026-21451Bagisto has HTML Filter Bypass that Enables Stored XSS8.4Jan 2, 2026
CVE-2026-21449Bagisto has SSTI via first and last name from low-privilege user (not admin)8.8Jan 2, 2026
CVE-2026-21448Bagisto has Normal & Blind SSTI from low-privilege user when ordering product9.8Jan 2, 2026
CVE-2026-21447Bagisto has IDOR in Customer Order Reorder Functionality7.1Jan 2, 2026
CVE-2026-21446Bagisto Missing Authentication on Installer API Endpoints9.8Jan 2, 2026
CVE-2025-62415bagisto - Cross Site Scripting (XSS) in TinyMCE Image Upload (HTML)6.9Oct 16, 2025
CVE-2025-62418bagisto - Cross Site Scripting (XSS) in TinyMCE Image Upload (SVG)6.9Oct 16, 2025
CVE-2025-62414bagisto - Cross Site Scripting (XSS) in Create New Customer6.9Oct 16, 2025
CVE-2025-62416bagisto - Server Side Template Injection (SSTI) in Product Description5.1Oct 16, 2025
CVE-2025-62417bagisto - CSV Formula Injection in Create New Product7.8Oct 16, 2025
CVE-2025-60880An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. Th...8.3Oct 10, 2025
CVE-2023-36238Insecure Direct Object Reference (IDOR) in Bagisto v.1.5.1 allows an attacker to obtain sensitive information via the invoice ID parameter.6.5Mar 13, 2024
CVE-2024-27499Bagisto v1.5.1 is vulnerable for Cross site scripting(XSS) via png file upload vulnerability in product review option.6.5Mar 1, 2024
CVE-2023-36237Cross Site Request Forgery vulnerability in Bagisto before v.1.5.1 allows an attacker to execute arbitrary code via a crafted HTML script.8.8Feb 26, 2024

Product normalization is registry-driven with AI assist and human review. How it works