CVE-2026-21451
Unknown Unknown - Not Provided
Stored XSS in Bagisto CMS Editor Enables Admin Account Takeover

Publication date: 2026-01-02

Last updated on: 2026-01-02

Assigner: GitHub, Inc.

Description
Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize `<script>` tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be stored in the CMS content and executed whenever the page is viewed or edited. This exposes administrators to a high-severity risk, including complete account takeover, backend hijacking, and malicious script execution. Version 2.3.10 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-02
Last Modified
2026-01-02
Generated
2026-06-16
AI Q&A
2026-01-02
EPSS Evaluated
2026-06-14
NVD
CVE-2026-21451
EUVD
EUVD-2026-0032
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
bagisto bagisto to 2.3.10 (exc)
bagisto bagisto 2.3.8
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21451 is a stored Cross-Site Scripting (XSS) vulnerability in the Bagisto eCommerce platform's CMS page editor. Although Bagisto tries to sanitize <script> tags when submitted through the user interface, this filtering can be bypassed by intercepting and modifying the raw HTTP POST request before submission. This allows an attacker to store arbitrary JavaScript in the CMS content, which executes whenever the page is viewed or edited by an administrator. The root cause is insufficient server-side sanitization, trusting manipulated HTTP requests without proper filtering. [1]

Impact Analysis

This vulnerability can lead to severe impacts including administrator account takeover, session hijacking, unauthorized administrative actions, defacement of the website, injection of malicious content into public pages, and potentially full compromise of the application backend. Since the malicious script executes with full admin privileges, attackers can hijack backend functionality and control the platform. [1]

Detection Guidance

This vulnerability can be detected by intercepting and inspecting HTTP POST requests to the CMS page editor for the presence of unsanitized <script> tags or arbitrary JavaScript code in the content fields. Tools like Burp Suite can be used to capture and modify these requests. A practical approach is to log in as an administrator, intercept the CMS update request, and check if raw JavaScript can be injected and stored. There are no specific commands provided, but using a web proxy or HTTP interceptor to analyze POST requests is recommended. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Bagisto to version 2.3.10 or later, where the vulnerability is patched. Additionally, implement robust server-side sanitization of CMS content inputs using libraries such as HTMLPurifier or Laravel Purifier to ensure that <script> tags and other potentially malicious code are properly stripped or encoded regardless of how the HTTP request is submitted. [1]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21451. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart