53 matches found
CVE-2026-35057
XenForo is affected in versions prior to 2.3.10 and prior to 2.2.19. The vulnerability is a stored XSS in structured text mentions, primarily impacting legacy profile post content. An attacker can inject malicious scripts via crafted mentions that are stored and executed when other users view the...
CVE-2026-21448
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the add address step they can inject a value to run in admin view. The issue can lead to remote code execution. Version...
CVE-2026-21447
Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order...
CVE-2026-21451
Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting XSS vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize...
CVE-2026-21450
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue...
CVE-2026-21449
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name from a low-privilege user. Version 2.3.10 fixes the issue...
CVE-2026-21448
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the add address step they can inject a value to run in admin view. The issue can lead to remote code execution. Version...
CVE-2026-21447
Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order...
CVE-2026-21450
Bagisto SSTI (server-side template injection) in the type parameter allows remote code execution. Affected versions are prior to 2.3.10; version 2.3.10 contains the fix. Exploitation details cited include an example payload accessing the admin view (type={{7*7}}), which can lead to RCE and other ...
CVE-2026-21450 Bagisto has SSTI in parameter that can lead to RCE
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue...
CVE-2026-21451 Bagisto has HTML Filter Bypass that Enables Stored XSS
Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting XSS vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize tags, the filtering can be bypassed by manipulating the raw HTTP POST...
CVE-2026-21449 Bagisto has SSTI via first and last name from low-privilege user (not admin)
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name from a low-privilege user. Version 2.3.10 fixes the issue...
CVE-2026-21448 Bagisto has Normal & Blind SSTI from low-privilege user when ordering product
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the add address step they can inject a value to run in admin view. The issue can lead to remote code execution. Version...
CVE-2026-21446
Summary (CVE-2026-21446) Bagisto (Laravel-based eCommerce) prior to 2.3.10 exposes installer API endpoints under /install/api/* that remain accessible after installation. The root cause is unauthenticated access to API routes (no auth/CSRF in /install/api/*), enabling an attacker to create admin ...
CVE-2026-21446 Bagisto Missing Authentication on Installer API Endpoints
Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints /install/api/ are directly accessible and exploitable without any authentication. An attacker can...
PT-2026-1128
Name of the Vulnerable Software and Affected Versions Bagisto versions prior to 2.3.10 Description Bagisto, an open source Laravel eCommerce platform, is susceptible to server-side template injection. A normal customer, during the address addition step of an order, can inject a value that execute...
Bagisto 跨站脚本漏洞
Bagisto is an open source e-commerce framework open sourced by Webkul Software in India. A cross-site scripting vulnerability exists in Bagisto versions prior to 2.3.10, which stems from the presence of stored cross-site scripting in the CMS page editor, which could lead to account takeover...
PT-2026-1125
Name of the Vulnerable Software and Affected Versions Bagisto versions prior to 2.3.10 Description Bagisto, an open source Laravel eCommerce platform, has an issue where API routes remain active even after the initial installation is complete. The API endpoints /install/api/ are directly accessib...
PT-2026-1131
Name of the Vulnerable Software and Affected Versions Bagisto versions prior to 2.3.10 Description Bagisto, an open source laravel eCommerce platform, contains a stored Cross-Site Scripting XSS issue within the CMS page editor. The platform’s attempt to sanitize tags can be bypassed by manipulati...
WordPress Phlox Portfolio plugin <= 2.3.10 - Unauthenticated Local File Inclusion via args[extra_template_path] vulnerability
Unauthenticated Local File Inclusion via argsextratemplatepath vulnerability discovered by LionTree in WordPress Plugin Phlox Portfolio versions = 2.3.10...