CVE-2026-21449
7.4
Bagisto CSTI: When Your Name Becomes Code
Alon Barad
Software EngineerJan 2, 2026·5 min read·3 visits
PoC Available
Executive Summary (TL;DR)
Bagisto (an eCommerce platform on Laravel) accidentally allowed Vue.js to hydrate user-controlled input in the customer profile. By changing their name to a Vue template, an attacker can achieve Stored XSS, executing code in the browser of anyone who views that profile—including administrators.
A Client-Side Template Injection (CSTI) vulnerability in the Bagisto eCommerce platform allows authenticated users to execute arbitrary JavaScript by injecting Vue.js templates into profile fields.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
7.4/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:PAffected Systems
Bagisto eCommerce Platform
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Bagisto Bagisto | < 2.3.10 | 2.3.10 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-1336 |
| Attack Vector | Network |
| CVSS v4.0 | 7.4 |
| Privileges Required | Low (Authenticated User) |
| Exploit Status | PoC Available |
| Impact | High (Confidentiality/Integrity) |
MITRE ATT&CK Mapping
CWE-1336
Template Injection
Improper Neutralization of Special Elements Used in a Template Engine
Known Exploits & Detection
Vulnerability Timeline
Patch Commit Pushed
2026-04-12
GHSA Published
2026-04-15