CVE-2026-6745
Received Received - Intake
Cross-Site Scripting in Bagisto Custom Scripts Handler

Publication date: 2026-04-21

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in Bagisto up to 2.3.15. Affected by this vulnerability is an unknown functionality of the component Custom Scripts Handler. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure and explains: "We already replied on the github advisories. All the security issues are addressed through security advisory. We will fix this in our upcomming releases."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-6745
EUVD
EUVD-2026-24243
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bagisto bagisto to 2.3.15 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Bagisto up to version 2.3.15 within an unknown functionality of the Custom Scripts Handler component.

It allows an attacker to perform cross-site scripting (XSS) attacks by manipulating this component.

The vulnerability can be exploited remotely, and the exploit has been publicly disclosed.

The vendor has acknowledged the issue and plans to fix it in upcoming releases.

Impact Analysis

This cross-site scripting vulnerability can allow attackers to inject malicious scripts into the application.

Such scripts could be used to hijack user sessions, deface websites, or redirect users to malicious sites.

Since the exploit is remotely executable, attackers do not need physical access to the system.

The impact is rated as low to medium severity based on CVSS scores (3.5 to 5.1), indicating limited but notable risk.

Detection Guidance

This vulnerability involves cross site scripting (XSS) in the Custom Scripts Handler component of Bagisto up to version 2.3.15. Detection typically involves identifying attempts to inject malicious scripts into input fields or parameters handled by this component.

While no explicit commands are provided in the available resources, reviewing the provided proof-of-concept (PoC) files and documentation in Resource 1 could help craft detection commands or scripts.

  • Monitor HTTP requests for suspicious script tags or JavaScript payloads targeting Bagisto's custom scripts handler endpoints.
  • Use web vulnerability scanners that support XSS detection against Bagisto installations.
  • Analyze logs for unusual input patterns or error messages related to script execution.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable component and applying input validation and output encoding to prevent script injection.

Since the vendor has acknowledged the issue and plans to fix it in upcoming releases, updating Bagisto to the latest version once available is recommended.

  • Limit user privileges to reduce the impact of potential exploitation, as the CVSS indicates low privileges are required.
  • Implement Web Application Firewall (WAF) rules to block common XSS payloads targeting Bagisto.
  • Educate users and administrators about the risk and signs of XSS attacks.
Detection Guidance

This vulnerability involves cross site scripting (XSS) in the Custom Scripts Handler component of Bagisto up to version 2.3.15. Detection typically involves testing for XSS by injecting script payloads into input fields or parameters handled by this component and observing if the scripts are executed.

Since the exploit has been publicly disclosed, you can use proof-of-concept scripts or payloads to test the vulnerability manually or with automated tools.

No specific detection commands are provided in the available resources, but general approaches include using tools like curl or browser developer tools to send crafted requests and observe responses for script execution.

  • Use curl to send a request with a typical XSS payload to the suspected vulnerable endpoint, for example: curl -X GET 'http://your-bagisto-site/path?param=<script>alert(1)</script>' -i
  • Use browser developer tools to manually input script payloads into the Custom Scripts Handler interface and check if the script executes.
  • Employ automated vulnerability scanners that support XSS detection against the Bagisto application.
Compliance Impact

The provided information does not specify how the cross site scripting vulnerability in Bagisto affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves cross site scripting (XSS) in the Custom Scripts Handler component of Bagisto up to version 2.3.15. Detection typically involves testing for XSS by injecting script payloads into input fields or parameters handled by the Custom Scripts Handler and observing if the scripts are executed.

Since the exploit has been publicly disclosed, you can use proof-of-concept scripts or payloads to test the system. Manual testing or automated scanning tools that detect XSS vulnerabilities can be used.

Specific commands are not provided in the available resources, but common approaches include using curl or browser-based tools to send crafted requests containing JavaScript payloads to the suspected vulnerable endpoints.

  • Use curl to send a request with a script payload, for example: curl -X GET 'http://targetsite/path?param=<script>alert(1)</script>'
  • Use automated scanners like OWASP ZAP or Burp Suite to scan for XSS vulnerabilities in the application.
  • Monitor HTTP responses for reflected script tags or unexpected script execution.
Detection Guidance

This vulnerability involves cross site scripting (XSS) in the Custom Scripts Handler component of Bagisto up to version 2.3.15. Detection typically involves testing for XSS payloads in input fields or parameters handled by this component.

Since the exploit has been publicly disclosed and proof-of-concept materials are available in the provided resources, you can use those to test your system.

Suggested commands or methods to detect this vulnerability include:

  • Use a web proxy tool (e.g., Burp Suite or OWASP ZAP) to intercept and modify requests to the Custom Scripts Handler, injecting typical XSS payloads such as <script>alert(1)</script>.
  • Run automated scanners that test for XSS vulnerabilities targeting Bagisto endpoints.
  • Refer to the proof-of-concept files in the shared Google Drive folder (Resource 1) for specific payloads and step-by-step exploit instructions.
Detection Guidance

This vulnerability involves cross site scripting (XSS) in the Custom Scripts Handler component of Bagisto up to version 2.3.15. Detection typically involves identifying attempts to inject malicious scripts into web requests targeting this component.

To detect exploitation attempts on your system or network, you can monitor HTTP requests for suspicious input patterns that include script tags or typical XSS payloads.

Example commands to detect potential XSS attempts in web server logs or live traffic include:

  • Using grep to search for script tags in Apache or Nginx logs: grep -iE "<script|javascript:" /var/log/apache2/access.log
  • Using tcpdump or tshark to capture HTTP traffic and filter for suspicious payloads: tshark -Y 'http.request.uri contains "<script>" or http.request.uri contains "javascript:"'
  • Using a web application firewall (WAF) or intrusion detection system (IDS) with rules to detect XSS payloads targeting Bagisto's Custom Scripts Handler.

Since the exploit has been publicly disclosed, you may also find proof-of-concept scripts or payloads in the shared resources (Resource 1) that can be used to test your environment in a controlled manner.

Detection Guidance

The vulnerability in Bagisto up to version 2.3.15 involves cross site scripting (XSS) in the Custom Scripts Handler component. Detection typically involves testing for XSS by injecting script payloads into input fields or parameters handled by this component and observing if the scripts are executed.

Since the exploit has been publicly disclosed, you can use proof-of-concept scripts or payloads to test the system. However, no specific detection commands or tools are provided in the available resources.

Resource 1 contains files such as 'step by step exploit xss.docx' and 'Poc xss discovery by hai271120.mkv' which may provide detailed steps or commands for detecting or exploiting the vulnerability.

In general, common commands or tools to detect XSS vulnerabilities include using curl or wget to send crafted HTTP requests with script payloads, or using security scanners like OWASP ZAP or Burp Suite to automate detection.

Detection Guidance

This vulnerability involves cross site scripting (XSS) in the Custom Scripts Handler component of Bagisto up to version 2.3.15. Detection typically involves testing for XSS by injecting script payloads into input fields or parameters handled by the Custom Scripts Handler and observing if the scripts are executed.

Since the exploit has been publicly disclosed, you can use proof-of-concept scripts or payloads to test the system. Monitoring HTTP requests and responses for suspicious script injections or unexpected script execution can also help detect exploitation attempts.

Specific commands are not provided in the available resources, but common approaches include using tools like curl or wget to send crafted requests, or using web vulnerability scanners that support XSS detection.

Detection Guidance

This vulnerability involves cross site scripting (XSS) in the Custom Scripts Handler component of Bagisto up to version 2.3.15. Detection typically involves testing for XSS by injecting script payloads into input fields or parameters handled by the Custom Scripts Handler and observing if the scripts are executed.

Since the exploit has been publicly disclosed, you can use proof-of-concept (PoC) scripts or payloads to test your system. Manual testing or automated scanning tools that support XSS detection can be used.

Specific commands are not provided in the available resources, but common approaches include using curl or browser-based tools to send crafted requests containing typical XSS payloads (e.g., <script>alert(1)</script>) to the suspected vulnerable endpoints.

For example, a simple curl command to test an input parameter might look like this:

  • curl -X GET 'http://your-bagisto-site/path?input=<script>alert(1)</script>' -i

Then observe the response to see if the script is reflected and executed in the browser context.

Additionally, reviewing the files or scripts related to the Custom Scripts Handler component for unsanitized input handling can help identify the vulnerability.

Detection Guidance

This vulnerability involves cross site scripting (XSS) in the Custom Scripts Handler component of Bagisto up to version 2.3.15. Detection typically involves testing for XSS by injecting script payloads into input fields or parameters handled by the Custom Scripts Handler and observing if the scripts are executed.

Since the exploit has been publicly disclosed, you can use proof-of-concept scripts or payloads to test the system. Monitoring HTTP requests and responses for suspicious script injections or unexpected script execution can also help detect exploitation attempts.

Specific commands are not provided in the available resources, but common approaches include using tools like curl or wget to send crafted requests, or using web vulnerability scanners that support XSS detection.

  • Use curl to send a test payload to the suspected vulnerable endpoint, for example: curl -X POST -d 'input=<script>alert(1)</script>' http://target/bagisto/custom-scripts-handler
  • Use a web proxy tool like Burp Suite or OWASP ZAP to intercept and modify requests to inject XSS payloads.
  • Review logs for unusual input containing script tags or suspicious characters.
Detection Guidance

This vulnerability involves cross site scripting (XSS) in the Custom Scripts Handler component of Bagisto up to version 2.3.15. Detection typically involves testing for XSS by injecting script payloads into input fields or parameters handled by the Custom Scripts Handler and observing if the scripts are executed.

Since the exploit has been publicly disclosed, you can use proof-of-concept scripts or payloads to test your system. Monitoring HTTP requests and responses for suspicious script injections or unexpected script execution can also help detect exploitation attempts.

Specific commands or tools to detect this vulnerability are not provided in the available resources. However, common approaches include using web vulnerability scanners that test for XSS or manual testing with curl or browser developer tools to inject and observe script execution.

Detection Guidance

This vulnerability involves cross-site scripting (XSS) in the Custom Scripts Handler component of Bagisto up to version 2.3.15. Detection typically involves testing for XSS by injecting script payloads into input fields or parameters handled by the Custom Scripts Handler and observing if the scripts are executed.

Since the exploit has been publicly disclosed, you can use proof-of-concept (PoC) scripts or payloads to test your system. The provided resources include files such as "step by step exploit xss.docx" and "Poc xss discovery by hai271120.mkv" which may contain detailed instructions or commands for detection.

Common commands or tools to detect XSS vulnerabilities include using curl or browser-based tools to inject typical XSS payloads, for example:

  • curl -X GET 'http://your-bagisto-instance/path?param=<script>alert(1)</script>'
  • Using browser developer tools or intercepting proxies (like Burp Suite) to inject and monitor script execution.

However, specific commands tailored to this vulnerability are not explicitly provided in the available context or resources.

Detection Guidance

This vulnerability involves cross site scripting (XSS) in the Custom Scripts Handler component of Bagisto up to version 2.3.15. Detection typically involves testing for XSS by injecting script payloads into input fields or parameters handled by the Custom Scripts Handler and observing if the scripts are executed.

Since the exploit has been publicly disclosed, you can use proof-of-concept (PoC) scripts or payloads to test the system. The resource provided includes files such as "step by step exploit xss.docx" and "Poc xss discovery by hai271120.mkv" which may contain detailed instructions or commands for detection.

Common commands or methods to detect XSS vulnerabilities include using curl or browser developer tools to inject typical XSS payloads, for example:

  • curl -X GET 'http://targetsite/path?param=<script>alert(1)</script>'
  • Using browser-based tools like Burp Suite or OWASP ZAP to intercept and modify requests to inject scripts.

However, specific commands tailored to this vulnerability may be found in the shared resources linked in Resource 1.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6745. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart