CVE-2026-21450
Server-Side Template Injection in Bagisto Allows Remote Code Execution
Publication date: 2026-01-02
Last updated on: 2026-01-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bagisto | bagisto | to 2.3.10 (exc) |
| bagisto | bagisto | 2.3.9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21450 is a Server-Side Template Injection (SSTI) vulnerability in the Bagisto e-commerce platform versions prior to 2.3.10. It occurs due to improper handling of the "type" parameter, allowing an attacker to inject and execute arbitrary template code on the server. For example, an attacker can craft a URL with a malicious "type" parameter that the server evaluates, leading to execution of arbitrary commands. [1]
How can this vulnerability impact me? :
This vulnerability can lead to Remote Code Execution (RCE) on the server hosting the Bagisto platform. An attacker exploiting this flaw can run arbitrary commands remotely, potentially taking full control of the server, accessing sensitive data, modifying or deleting data, or disrupting service. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing if the 'type' parameter in the URL is evaluated on the server side. For example, you can send a request to a URL like `http://<your-bagisto-server>/admin/reporting/products/view?type={{7*7}}` and check if the response contains '49', which indicates server-side template injection. Using curl, you can run: `curl -i "http://<your-bagisto-server>/admin/reporting/products/view?type={{7*7}}"` and inspect the response for the evaluated expression. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Bagisto to version 2.3.10 or later, where the issue has been fixed. Until the upgrade can be performed, restrict access to the vulnerable endpoints and monitor for suspicious activity involving the 'type' parameter. [1]