CVE-2026-9506
Deferred Deferred - Pending Action
Path Traversal Vulnerability in Bagisto ImageCacheController

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: Indian Computer Emergency Response Team (CERT-In)

Description
This vulnerability exists in Bagisto due to improper validation of user-supplied input in the ImageCacheController component. An unauthenticated remote attacker could exploit this vulnerability by sending crafted path traversal sequences through the filename parameter to access arbitrary files outside the intended directory on the targeted system. Successful exploitation of this vulnerability could allow an attacker to read arbitrary sensitive files on the targeted system.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-9506
EUVD
EUVD-2026-35036
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bagisto bagisto *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Bagisto due to improper validation of user-supplied input in the ImageCacheController component.

An unauthenticated remote attacker could exploit this vulnerability by sending crafted path traversal sequences through the filename parameter.

This allows the attacker to access arbitrary files outside the intended directory on the targeted system.

Impact Analysis

Successful exploitation of this vulnerability could allow an attacker to read arbitrary sensitive files on the targeted system.

Compliance Impact

This vulnerability allows an unauthenticated remote attacker to read arbitrary sensitive files on the targeted system by exploiting improper validation of user-supplied input in the ImageCacheController component.

Such unauthorized access to sensitive files could lead to exposure of personal or protected data, potentially resulting in non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls on access to sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9506. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart