HIGH🇬🇧 English

CVE-2026-21446

CVSS 8.8v4.0pub. 2026-01-02upd. 2026-01-08

Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue.

oryginał EN
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Webkul Bagisto

    APP
    Webkul
    2.3.0 – 2.3.10 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Auth Bypass
CWE
Referencje

Powiązane podatności

CVE-2026-21450HIGH7.3ten sam produkt

Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side t...

CVE-2026-21447HIGH7.1ten sam produkt

Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Refer...

CVE-2026-21448HIGH8.9ten sam produkt

Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side t...

CVE-2026-21449HIGH7.4ten sam produkt

Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side t...

CVE-2025-62417HIGH7.1ten sam produkt

Bagisto is an open source laravel eCommerce platform. When product data that begins with a spreadsheet formula...