{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21448", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-29T03:00:29.277Z", "datePublished": "2026-01-02T20:18:08.519Z", "dateUpdated": "2026-01-02T21:29:34.047Z"}, "containers": {"cna": {"title": "Bagisto has Normal & Blind SSTI from low-privilege user when ordering product", "problemTypes": [{"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.9, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/bagisto/bagisto/security/advisories/GHSA-5j4h-4f72-qpm6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-5j4h-4f72-qpm6"}], "affected": [{"vendor": "bagisto", "product": "bagisto", "versions": [{"version": "< 2.3.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-02T20:18:08.519Z"}, "descriptions": [{"lang": "en", "value": "Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the `add address` step they can inject a value to run in admin view. The issue can lead to remote code execution. Version 2.3.10 contains a patch."}], "source": {"advisory": "GHSA-5j4h-4f72-qpm6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-02T21:29:24.779685Z", "id": "CVE-2026-21448", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-02T21:29:34.047Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21448", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-02T21:29:24.779685Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-02T21:29:30.264Z"}}], "cna": {"title": "Bagisto has Normal & Blind SSTI from low-privilege user when ordering product", "source": {"advisory": "GHSA-5j4h-4f72-qpm6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "bagisto", "product": "bagisto", "versions": [{"status": "affected", "version": "< 2.3.10"}]}], "references": [{"url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-5j4h-4f72-qpm6", "name": "https://github.com/bagisto/bagisto/security/advisories/GHSA-5j4h-4f72-qpm6", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the `add address` step they can inject a value to run in admin view. The issue can lead to remote code execution. Version 2.3.10 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1336", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-02T20:18:08.519Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21448", "state": "PUBLISHED", "dateUpdated": "2026-01-02T21:29:34.047Z", "dateReserved": "2025-12-29T03:00:29.277Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-02T20:18:08.519Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:webkul:bagisto:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9A19FD0-5100-48D6-BBB3-5A4CA1D90593", "versionEndExcluding": "2.3.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the `add address` step they can inject a value to run in admin view. The issue can lead to remote code execution. Version 2.3.10 contains a patch."}], "id": "CVE-2026-21448", "lastModified": "2026-01-08T21:22:34.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-02T21:15:59.053", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-5j4h-4f72-qpm6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1336"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T19:22:34.682534+00:00", "value": {"mitigation_remediation": ["Apply Bagisto patch 2.3.10 or later to eliminate the SSTI flaw.", "Restrict or sanitize template rendering for the add address flow to prevent untrusted input from being processed.", "Implement a web application firewall (WAF) rule set that blocks known SSTI payload patterns and monitors for suspicious admin view activity."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is Bagisto, an open source Laravel eCommerce platform developed by Webkul. Versions earlier than 2.3.10 are vulnerable. Version 2.3.10 includes a patch that mitigates the injection vector by sanitizing or restricting template rendering in the add address flow.", "description_and_impact": "The vulnerability is a server\u2011side template injection (SSTI) that can be triggered by a normal customer during the \"add address\" step of a product order. By supplying crafted input, the attacker can cause the application to execute arbitrary code within the context of the Bagisto admin interface. This allows compromise of the server, data exfiltration, and further lateral movement. The weakness is identified as CWE\u20111336, indicating that trusted template processing is incorrectly performed on untrusted input.", "risk_and_exploitability": "The CVSS score of 8.9 marks the issue as high severity, while the EPSS score of less than 1% suggests that active exploitation is unlikely at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is inferred to be an unauthenticated or low\u2011privilege web user ordering a product, which enables injection of a malicious template payload that is executed on the server when rendered in an admin context."}}}}, "created": "2026-01-05T10:13:40.643487+00:00", "updated": "2026-04-18T19:30:08.961623+00:00", "vendors": ["webkul", "webkul$PRODUCT$bagisto"]}