CVE-2026-6744 MEDIUM

CVE-2026-6744: Bagisto Downloadable Link copy server-side request forgery

Vendor N/A
Product Bagisto
Weakness CWE-918 · SSRF
Published April 21, 2026
Last update April 22, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was found in Bagisto up to 2.3.15. Affected is the function copy of the component Downloadable Link Handler. The manipulation results in server-side request forgery. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure and explains: "We already replied on the github advisories. All the security issues are addressed through security advisory. We will fix this in our upcomming releases."

Key dates

02Disclosure timeline

April 21, 2026 CVE published
April 22, 2026 Record updated

Related vulnerabilities

04Related CVE