Webkul Security Vulnerabilities (CVEs)

Track 25 security vulnerabilities affecting Webkul products and software. Get instant email alerts when new CVEs are discovered, automated security monitoring, and patch guidance.

4 Critical

13 High

8 Medium

Sort by:

🔔 Get Alerts for Webkul

CVE-2026-21449 8.8

Bagisto eCommerce platform versions before 2.3.10 are vulnerable to server-side template injection (SSTI) through first name and last name fields. Thi...

Jan 2, 2026

CVE-2026-21450 9.8

Bagisto eCommerce platforms running versions before 2.3.10 are vulnerable to server-side template injection via the type parameter. This allows attack...

Jan 2, 2026

CVE-2026-21451 8.4

A stored Cross-Site Scripting (XSS) vulnerability in Bagisto eCommerce platform allows attackers to inject malicious JavaScript into CMS pages by bypa...

Jan 2, 2026

CVE-2026-21448 9.8

Bagisto eCommerce platform versions before 2.3.10 are vulnerable to server-side template injection that can lead to remote code execution. When custom...

Jan 2, 2026

CVE-2026-21447 7.1

An Insecure Direct Object Reference vulnerability in Bagisto eCommerce platform allows authenticated customers to add items from other customers' orde...

Jan 2, 2026

CVE-2026-21446 9.8

Bagisto eCommerce platform versions before 2.3.10 have unprotected API endpoints that remain accessible after installation. Unauthenticated attackers ...

Jan 2, 2026

CVE-2025-62415 6.9

This vulnerability allows authenticated administrators in Bagisto v2.3.7 to upload malicious HTML files containing JavaScript through the TinyMCE imag...

Oct 16, 2025

CVE-2025-62416 5.1

Bagisto v2.3.7 has a Server-Side Template Injection vulnerability in product description rendering that allows authenticated attackers with product cr...

Oct 16, 2025

CVE-2025-62417 7.8

Bagisto eCommerce platform versions before 2.3.8 accept product data starting with spreadsheet formula characters (=, +, -, @). When exported to CSV a...

Oct 16, 2025

CVE-2025-60880 8.3

An authenticated stored XSS vulnerability in Bagisto 2.3.6 allows admin users to upload malicious SVG files containing JavaScript code. When viewed, t...

Oct 10, 2025

CVE-2025-56426 6.5

A remote code execution vulnerability in WebKul Bagisto v2.3.6 allows attackers to execute arbitrary code via the Cart/Checkout API endpoint. The pric...

Oct 9, 2025

CVE-2025-10759 5.3

This CVE describes a CSRF token reuse vulnerability in Webkul QloApps up to version 1.7.0 that allows attackers to bypass authorization by manipulatin...

Sep 21, 2025

CVE-2025-55741 8.1

This vulnerability allows users without proper delete privileges to bypass access controls and delete products via the mass-delete endpoint in UnoPim....

Aug 22, 2025

CVE-2025-55742 8.0

UnoPim versions before 0.2.1 contain a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts via SVG files at th...

Aug 21, 2025

CVE-2025-55744 4.3

UnoPim versions before 0.2.1 contain CSRF vulnerabilities in some endpoints, allowing attackers to trick authenticated users into performing unintende...

Aug 21, 2025

CVE-2025-40675 6.1

A reflected XSS vulnerability in Bagisto v2.0.0 allows attackers to execute malicious JavaScript in victims' browsers via crafted URLs containing mali...

Jun 9, 2025

CVE-2025-26058 4.2

Webkul QloApps v1.6.1 exposes authentication tokens in URLs during redirection, allowing attackers to capture these tokens via browser history, logs, ...

Feb 18, 2025

CVE-2024-45932 4.8

Krayin CRM v1.3.0 contains a stored cross-site scripting vulnerability in the organization name field of the contact management interface. This allows...

Oct 7, 2024

CVE-2024-46366 8.8

This Client-side Template Injection vulnerability in Webkul Krayin CRM allows attackers to inject malicious template code during lead creation, which ...

Sep 27, 2024

CVE-2024-46367 9.6

A stored cross-site scripting vulnerability in Webkul Krayin CRM 1.3.0 allows attackers to inject malicious JavaScript via the username field. When ex...

Sep 27, 2024

CVE-2024-40318 7.2

This vulnerability allows attackers to upload malicious files to Webkul Qloapps v1.6.0.0, potentially leading to remote code execution. Any organizati...

Jul 25, 2024

CVE-2023-36237 8.8

This Cross-Site Request Forgery (CSRF) vulnerability in Bagisto e-commerce platform allows attackers to trick authenticated users into executing malic...

Feb 26, 2024

CVE-2023-39147 7.8

This vulnerability allows attackers to upload malicious image files to Uvdesk 1.1.3, which can lead to remote code execution on the server. Any organi...

Aug 1, 2023

CVE-2023-33570 8.8

Bagisto v1.5.1 contains a Server-Side Template Injection (SSTI) vulnerability that allows attackers to execute arbitrary code on the server. This affe...

Jun 28, 2023

CVE-2023-36284 7.5

CVE-2023-36284 is an unauthenticated time-based SQL injection vulnerability in Webkul QloApps 1.6.0 that allows remote attackers to bypass authenticat...

Jun 23, 2023

Why Monitor Webkul Security Vulnerabilities?

Real-time CVE tracking: Our automated system monitors 25+ known vulnerabilities affecting Webkul products and software packages. Stay ahead of emerging threats with instant email notifications when new security issues are discovered.

Automated security monitoring: Unlike manual CVE checking, FixTheCVE automatically scans your servers and detects vulnerable Webkul packages in under 60 seconds. No agents required - completely agentless scanning that works across Webkul deployments.

Free vulnerability database: Access detailed information about every Webkul CVE including CVSS scores, severity ratings, affected versions, and actionable patch guidance. Filter by critical, high, medium, or low severity to prioritize your security remediation efforts.

🚀 Get Started in 60 Seconds

Register free account & add your servers
Run one-time scan or schedule automatic monitoring (every 1-24 hours)
Receive instant alerts when new Webkul CVEs affect your systems
Access dashboard with severity breakdown & fix instructions

Start Monitoring Webkul CVEs Free