CVE-2026-21447 HIGH

CVE-2026-21447: Bagisto has IDOR in Customer Order Reorder Functionality

Vendor Bagisto
Product bagisto
Weakness CWE-284
Published January 2, 2026
Last update January 2, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue.

Key dates

02Disclosure timeline

January 2, 2026 CVE published
January 2, 2026 Record updated