CVE-2026-9506
Deferred
Deferred - Pending Action
Path Traversal Vulnerability in Bagisto ImageCacheController
Vulnerability report for CVE-2026-9506, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-08
Last updated on: 2026-06-08
Assigner: Indian Computer Emergency Response Team (CERT-In)
Description
Description
This vulnerability exists in Bagisto due to improper validation of user-supplied input in the ImageCacheController component. An unauthenticated remote attacker could exploit this vulnerability by sending crafted path traversal sequences through the filename parameter to access arbitrary files outside the intended directory on the targeted system.
Successful exploitation of this vulnerability could allow an attacker to read arbitrary sensitive files on the targeted system.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bagisto | bagisto | * |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
