📦 Bagisto

Bagisto eCommerce platforms running versions before 2.3.10 are vulnerable to server-side template injection via the type parameter. This allows attackers to execute arbitrary code remotely, potentiall...

Bagisto eCommerce platform versions before 2.3.10 are vulnerable to server-side template injection that can lead to remote code execution. When customers add addresses during checkout, they can inject...

Bagisto eCommerce platform versions before 2.3.10 have unprotected API endpoints that remain accessible after installation. Unauthenticated attackers can directly access these endpoints to create admi...

Bagisto eCommerce platform versions before 2.3.10 are vulnerable to server-side template injection (SSTI) through first name and last name fields. This allows low-privilege users to execute arbitrary ...

A stored Cross-Site Scripting (XSS) vulnerability in Bagisto eCommerce platform allows attackers to inject malicious JavaScript into CMS pages by bypassing input sanitization via HTTP POST manipulatio...

An Insecure Direct Object Reference vulnerability in Bagisto eCommerce platform allows authenticated customers to add items from other customers' orders to their own cart by manipulating order IDs. Th...

Bagisto eCommerce platform versions before 2.3.8 accept product data starting with spreadsheet formula characters (=, +, -, @). When exported to CSV and opened in spreadsheet software, these cells are...

An authenticated stored XSS vulnerability in Bagisto 2.3.6 allows admin users to upload malicious SVG files containing JavaScript code. When viewed, this code executes in victims' browsers, potentiall...

This Cross-Site Request Forgery (CSRF) vulnerability in Bagisto e-commerce platform allows attackers to trick authenticated users into executing malicious actions without their consent. Attackers can ...

Bagisto v1.5.1 contains a Server-Side Template Injection (SSTI) vulnerability that allows attackers to execute arbitrary code on the server. This affects all Bagisto installations running version 1.5....

This vulnerability allows authenticated administrators in Bagisto v2.3.7 to upload malicious HTML files containing JavaScript through the TinyMCE image upload feature. When these files are viewed, the...

Bagisto v2.3.7 has a Server-Side Template Injection vulnerability in product description rendering that allows authenticated attackers with product creation privileges to execute arbitrary code on the...

A remote code execution vulnerability in WebKul Bagisto v2.3.6 allows attackers to execute arbitrary code via the Cart/Checkout API endpoint. The price calculation logic fails to properly validate qua...

A reflected XSS vulnerability in Bagisto v2.0.0 allows attackers to execute malicious JavaScript in victims' browsers via crafted URLs containing malicious 'query' parameters in the search endpoint. T...