CVE
CVE-2026-21449
Bagisto is vulnerable to SSTI via name parameters provided by non-admin low-privilege users
Summary
SSTI is possible via first name and last name parameters provided by lowest-privileged users.
Details
- Go to
http://127.0.0.1:8000/and login or signup - Go to
http://127.0.0.1:8000/customer/account/profile - Now edit the first name and last name to {{7*7}}
- Notice it appears as 49
POC
- Video attached with the report: https://github.com/user-attachments/assets/f93932b5-2a57-4f34-897e-4151a5168912
Impact
This can lead to RCE, command injection.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.4
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
C
H
U
-
Related Resources
No items found.
References
https://github.com/bagisto/bagisto/security/advisories/GHSA-mqhg-v22x-pqj8, https://nvd.nist.gov/vuln/detail/CVE-2026-21449, https://github.com/bagisto/bagisto/commit/4144931da0014c696f9126132ce44d7cfbdb2761, https://github.com/bagisto/bagisto, https://github.com/bagisto/bagisto/releases/tag/v2.3.10
Basic Information
Ecosystem
