CVE-2026-21451 MEDIUM

CVE-2026-21451: Bagisto has HTML Filter Bypass that Enables Stored XSS

Vendor Bagisto
Product bagisto
Weakness CWE-79 · XSS
Published January 2, 2026
Last update January 2, 2026

CVSS base score

5.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P

What the vulnerability does

01Description

Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize `<script>` tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be stored in the CMS content and executed whenever the page is viewed or edited. This exposes administrators to a high-severity risk, including complete account takeover, backend hijacking, and malicious script execution. Version 2.3.10 fixes the issue.

Key dates

02Disclosure timeline

January 2, 2026 CVE published
January 2, 2026 Record updated