CVE-2026-21448

CriticalPublic PoC

Published: 02 January 2026

Published

02 January 2026

Modified

08 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0019 40.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the `add address` step they can inject a value to run in admin view.…

The issue can lead to remote code execution. Version 2.3.10 contains a patch.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates customer inputs like address fields to block malicious server-side template injection payloads before processing.

SI-15 Information Output Filtering good match

prevent

Filters and encodes user-supplied data when rendered in admin views to neutralize SSTI exploitation leading to RCE.

SI-2 Flaw Remediation good match

prevent

Mandates timely patching of known flaws, such as upgrading Bagisto to version 2.3.10, to remediate the SSTI vulnerability.

Security SummaryAI

CVE-2026-21448 is a server-side template injection vulnerability (CWE-1336) affecting Bagisto, an open-source Laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable, allowing injection during the customer order process specifically in the "add address" step, where user-supplied input is rendered unsafely in the admin view. The flaw has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.

A normal customer, without any privileges, can exploit this during the product ordering workflow by injecting malicious payloads into the address field. The injected content executes in the context of the admin view, potentially leading to remote code execution on the server. Attackers require only network access and can trigger the exploit with low complexity and no user interaction.

The official GitHub Security Advisory (GHSA-5j4h-4f72-qpm6) confirms that Bagisto version 2.3.10 addresses the issue with a patch. Security practitioners should upgrade to 2.3.10 or later and review input sanitization in address handling for custom deployments.

Details

CWE(s): CWE-1336

Affected Products

webkul

bagisto

≤ 2.3.10

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-21448 is a server-side template injection vulnerability in a public-facing eCommerce web application, exploitable unauthenticated over the network to achieve remote code execution, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/bagisto/bagisto/security/advisories/GHSA-5j4h-4f72-qpm6
Exploit, Vendor Advisory · security-advisories@github.com