CVE-2026-21449
Server-Side Template Injection in Bagisto eCommerce
Publication date: 2026-01-02
Last updated on: 2026-01-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bagisto | bagisto | to 2.3.10 (exc) |
| bagisto | bagisto | 2.3.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21449 is a Server-Side Template Injection (SSTI) vulnerability in the Bagisto e-commerce platform versions prior to 2.3.10. It allows a low-privileged user to inject template expressions into the first name and last name fields on their profile page. These expressions are evaluated by the server, which can lead to execution of arbitrary code or commands on the server. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with low privileges to execute arbitrary code or commands on the server hosting the Bagisto platform. This can lead to unauthorized access, data theft, server compromise, or disruption of services. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to inject template expressions into the "first name" and "last name" fields of a low-privilege user profile in Bagisto versions prior to 2.3.10. For example, entering a payload such as `{{7*7}}` and observing if the system evaluates and returns the result (e.g., 49) indicates the presence of the Server-Side Template Injection (SSTI) vulnerability. There are no specific network commands provided, but manual testing of these input fields with SSTI payloads is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Bagisto to version 2.3.10 or later, where the SSTI vulnerability has been fixed. Until the upgrade can be performed, restrict low-privilege user input in the "first name" and "last name" fields or apply input validation and sanitization to prevent template injection. [1]