CVE-2026-60120
Deferred Deferred - Pending Action

Stored XSS in Bagisto via Client-Side Template Injection

Vulnerability report for CVE-2026-60120, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

Bagisto before 2.4.4 contains a stored cross-site scripting vulnerability via client-side template injection that allows unauthenticated attackers to execute arbitrary JavaScript in administrator browsers by registering a customer account with malicious payload in the first or last name field. The create.blade.php template renders customer name fields without the Vue.js v-pre directive, causing Vue.js to evaluate stored template expressions as live JavaScript when an administrator opens the Create Order page for the affected customer.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
bagisto bagisto to 2.4.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in Bagisto versions before 2.4.4 and is a stored cross-site scripting (XSS) issue caused by client-side template injection.

An unauthenticated attacker can exploit this by registering a customer account with malicious JavaScript code embedded in the first or last name fields.

The problem arises because the create.blade.php template renders these customer name fields without using the Vue.js v-pre directive, which means Vue.js processes and executes the stored template expressions as live JavaScript.

When an administrator opens the Create Order page for the affected customer, the malicious script runs in their browser.

Impact Analysis

This vulnerability allows attackers to execute arbitrary JavaScript code in the browsers of administrators.

Potential impacts include theft of administrator session tokens, unauthorized actions performed with administrator privileges, and possible compromise of the administrative interface.

Since the attacker can inject scripts without authentication, it increases the risk of persistent attacks against the administrative users.

Detection Guidance

This vulnerability involves stored cross-site scripting via client-side template injection in Bagisto versions before 2.4.4. Detection involves identifying customer accounts with malicious payloads in the first or last name fields that could trigger JavaScript execution in administrator browsers.

Since the vulnerability is triggered when an administrator opens the Create Order page for a customer with a malicious name field, detection can focus on inspecting customer records for suspicious template expressions or JavaScript payloads in these fields.

There are no specific commands provided in the available resources to detect this vulnerability automatically.

Mitigation Strategies

The primary mitigation step is to update Bagisto to version 2.4.4 or later, where this vulnerability has been fixed by adding the Vue.js v-pre directive to the create.blade.php template to prevent client-side template injection.

Until the update can be applied, administrators should avoid opening the Create Order page for customer accounts that might contain malicious payloads in their name fields.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-60120. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart