CVE-2026-21450 HIGH

CVE-2026-21450: Bagisto has SSTI in parameter that can lead to RCE

Vendor Bagisto
Product bagisto
Weakness CWE-1336
Published January 2, 2026
Last update January 2, 2026

CVSS base score

7.3/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue.

Key dates

02Disclosure timeline

January 2, 2026 CVE published
January 2, 2026 Record updated