Primary

Context

Bagisto Server-Side Template Injection Vulnerability Allowing Remote Code Execution

Vulnerability

Patched

A server-side template injection vulnerability has been identified in Bagisto versions prior to 2.3.10. This vulnerability allows normal customers to inject values during the 'add address' step of the checkout process, which are then executed in the admin view. The injected values can be manipulated to achieve remote code execution.

Impact

Exploitation of this vulnerability can lead to remote code execution on the server.

Reproduction

To reproduce this vulnerability, a normal user can place an order and inject a template expression, such as '{{7*7}}', into any input field during the 'add address' step. This injected value will be executed and the result, '49', will appear in the admin view under 'sales orders'. The same injection can be performed directly in the 'customer account addresses' section, with the same result.

Remediation

Users can upgrade to Bagisto version 2.3.10, which includes a patch for this vulnerability.

Added: Jan 2, 2026, 9:21 PM

Updated: Jan 2, 2026, 9:21 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

7.5

exploitability

6.8

remediation

7.7

relevance

1.8

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

7.5

exploitability

6.8

remediation

7.7

relevance

1.8

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Bagisto Server-Side Template Injection Vulnerability Allowing Remote Code Execution

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Bagisto

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating