CVE-2026-21451
Stored XSS in Bagisto CMS Editor Enables Admin Account Takeover
Publication date: 2026-01-02
Last updated on: 2026-01-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bagisto | bagisto | to 2.3.10 (exc) |
| bagisto | bagisto | 2.3.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-21451 is a stored Cross-Site Scripting (XSS) vulnerability in the Bagisto eCommerce platform's CMS page editor. Although Bagisto tries to sanitize <script> tags when submitted through the user interface, this filtering can be bypassed by intercepting and modifying the raw HTTP POST request before submission. This allows an attacker to store arbitrary JavaScript in the CMS content, which executes whenever the page is viewed or edited by an administrator. The root cause is insufficient server-side sanitization, trusting manipulated HTTP requests without proper filtering. [1]
How can this vulnerability impact me? :
This vulnerability can lead to severe impacts including administrator account takeover, session hijacking, unauthorized administrative actions, defacement of the website, injection of malicious content into public pages, and potentially full compromise of the application backend. Since the malicious script executes with full admin privileges, attackers can hijack backend functionality and control the platform. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by intercepting and inspecting HTTP POST requests to the CMS page editor for the presence of unsanitized <script> tags or arbitrary JavaScript code in the content fields. Tools like Burp Suite can be used to capture and modify these requests. A practical approach is to log in as an administrator, intercept the CMS update request, and check if raw JavaScript can be injected and stored. There are no specific commands provided, but using a web proxy or HTTP interceptor to analyze POST requests is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Bagisto to version 2.3.10 or later, where the vulnerability is patched. Additionally, implement robust server-side sanitization of CMS content inputs using libraries such as HTMLPurifier or Laravel Purifier to ensure that <script> tags and other potentially malicious code are properly stripped or encoded regardless of how the HTTP request is submitted. [1]