Every CVE whose affected-product data names Webkul Bagisto, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (21)
CVE-2026-21446 — CVSS 9.8 (critical): Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after…
CVE-2026-21450 — CVSS 9.8 (critical): Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type…
CVE-2026-21448 — CVSS 9.8 (critical): Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a…
CVE-2023-36237 — CVSS 8.8 (high): Cross Site Request Forgery vulnerability in Bagisto before v.1.5.1 allows an attacker to execute arbitrary code via a crafted HTML script.
CVE-2026-21449 — CVSS 8.8 (high): Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first…
CVE-2019-16403 — CVSS 8.8 (high): In Webkul Bagisto before 0.1.5, the functionalities for customers to change their own values (such as address, review, orders, etc.) can…
CVE-2026-21451 — CVSS 8.4 (high): Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto prior to version…
CVE-2025-60880 — CVSS 8.3 (high): An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a…
CVE-2025-62417 — CVSS 7.8 (high): Bagisto is an open source laravel eCommerce platform. When product data that begins with a spreadsheet formula character (for example =, +…
CVE-2026-21447 — CVSS 7.1 (high): Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the…
CVE-2025-62414 — CVSS 6.9 (medium): Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is…
CVE-2025-62415 — CVSS 6.9 (medium): Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with…
CVE-2025-62418 — CVSS 6.9 (medium): Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with…
CVE-2025-56426 — CVSS 6.5 (medium): An issue WebKul Bagisto v.2.3.6 allows a remote attacker to execute arbitrary code via the Cart/Checkout API endpoint, specifically, the…
CVE-2024-27499 — CVSS 6.5 (medium): Bagisto v1.5.1 is vulnerable for Cross site scripting(XSS) via png file upload vulnerability in product review option.
CVE-2023-36238 — CVSS 6.5 (medium): Insecure Direct Object Reference (IDOR) in Bagisto v.1.5.1 allows an attacker to obtain sensitive information via the invoice ID parameter.
CVE-2025-40675 — CVSS 6.1 (medium): A Reflected Cross-Site Scripting (XSS) vulnerability has been found in Bagisto v2.0.0. This vulnerability allows an attacker to execute…
CVE-2025-62416 — CVSS 5.1 (medium): Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to…
CVE-2023-36236 — CVSS 4.8 (medium): Cross Site Scripting vulnerability in webkil Bagisto v.1.5.0 and before allows an attacker to execute arbitrary code via a crafted SVG file…