Search
Search Results (12 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-21447 | 1 Webkul | 1 Bagisto | 2026-01-08 | 7.1 High |
| Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue. | ||||
| CVE-2026-21448 | 1 Webkul | 1 Bagisto | 2026-01-08 | 9.8 Critical |
| Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the `add address` step they can inject a value to run in admin view. The issue can lead to remote code execution. Version 2.3.10 contains a patch. | ||||
| CVE-2026-21449 | 1 Webkul | 1 Bagisto | 2026-01-08 | 8.8 High |
| Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name from a low-privilege user. Version 2.3.10 fixes the issue. | ||||
| CVE-2026-21450 | 1 Webkul | 1 Bagisto | 2026-01-08 | 9.8 Critical |
| Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue. | ||||
| CVE-2025-40675 | 1 Webkul | 1 Bagisto | 2025-10-06 | 6.1 Medium |
| A Reflected Cross-Site Scripting (XSS) vulnerability has been found in Bagisto v2.0.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the parameter 'query' in '/search'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | ||||
| CVE-2024-27499 | 1 Webkul | 1 Bagisto | 2025-08-11 | 6.5 Medium |
| Bagisto v1.5.1 is vulnerable for Cross site scripting(XSS) via png file upload vulnerability in product review option. | ||||
| CVE-2023-36236 | 1 Webkul | 1 Bagisto | 2025-06-17 | 4.8 Medium |
| Cross Site Scripting vulnerability in webkil Bagisto v.1.5.0 and before allows an attacker to execute arbitrary code via a crafted SVG file uplad. | ||||
| CVE-2023-36238 | 1 Webkul | 1 Bagisto | 2025-04-14 | 6.5 Medium |
| Insecure Direct Object Reference (IDOR) in Bagisto v.1.5.1 allows an attacker to obtain sensitive information via the invoice ID parameter. | ||||
| CVE-2023-36237 | 2 Bagisto, Webkul | 2 Bagisto, Bagisto | 2025-04-11 | 8.8 High |
| Cross Site Request Forgery vulnerability in Bagisto before v.1.5.1 allows an attacker to execute arbitrary code via a crafted HTML script. | ||||
| CVE-2023-33570 | 1 Webkul | 1 Bagisto | 2024-11-27 | 8.8 High |
| Bagisto v1.5.1 is vulnerable to Server-Side Template Injection (SSTI). | ||||
| CVE-2019-16403 | 1 Webkul | 1 Bagisto | 2024-11-21 | 8.8 High |
| In Webkul Bagisto before 0.1.5, the functionalities for customers to change their own values (such as address, review, orders, etc.) can also be manipulated by other customers. | ||||
| CVE-2019-14933 | 1 Webkul | 1 Bagisto | 2024-11-21 | N/A |
| Bagisto 0.1.5 allows CSRF under /admin URIs. | ||||
Page 1 of 1.