CVE-2026-21448

Checkout to Shell: Unpacking the Bagisto Stored SSTI RCE

Alon Barad

Software Engineer

Jan 2, 2026·7 min read·6 visits

PoC Available

Executive Summary (TL;DR)

Bagisto versions prior to 2.3.10 fail to sanitize user input in the checkout process. An attacker can input a Laravel Blade template payload (e.g., `{{ system('id') }}`) into their shipping address. When an administrator views the order in the backend, the payload executes on the server, granting full RCE.

A critical Stored Server-Side Template Injection (SSTI) vulnerability in the Bagisto eCommerce platform allows unauthenticated attackers to achieve Remote Code Execution (RCE) by injecting malicious payloads into shipping address fields.

Attack Flow Diagram

Official Patches

BagistoBagisto v2.3.10 Release Notes

Technical Appendix

CVSS Score

9.3/ 10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected Systems

Bagisto eCommerce Platform < 2.3.10Laravel applications using vulnerable Bagisto packages

Affected Versions Detail

Product	Affected Versions	Fixed Version
Bagisto Bagisto	< 2.3.10	2.3.10

Attribute	Detail
CWE ID	CWE-1336
Attack Vector	Network (Remote)
CVSS v3.1	9.3 (Critical)
Impact	Remote Code Execution (RCE)
Exploit Status	PoC Available
Requires Auth	No (Unauthenticated at injection point)

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application

Initial Access

T1059.003Command and Scripting Interpreter: Windows Command Shell

Execution

T1059.004Command and Scripting Interpreter: Unix Shell

Execution

CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

The application saves user-provided information into a template file or uses it in a way that allows the template engine to execute it as code.

Known Exploits & Detection

GitHub Security AdvisoryOriginal advisory detailing the SSTI vector in address fields.

Vulnerability Timeline

CVE Published

2026-01-02

Patch Released (v2.3.10)

2026-01-02