CVE-2026-21449

Bagisto CSTI: When Your Name Becomes Code

Alon Barad
Alon Barad
Software Engineer

Jan 2, 2026·5 min read·1 visit

Executive Summary (TL;DR)

Bagisto (an eCommerce platform on Laravel) accidentally allowed Vue.js to hydrate user-controlled input in the customer profile. By changing their name to a Vue template, an attacker can achieve Stored XSS, executing code in the browser of anyone who views that profile—including administrators.

A Client-Side Template Injection (CSTI) vulnerability in the Bagisto eCommerce platform allows authenticated users to execute arbitrary JavaScript by injecting Vue.js templates into profile fields.

Official Patches

BagistoGitHub Commit fixing the profile XSS

Fix Analysis (1)

Technical Appendix

CVSS Score
7.4/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Affected Systems

Bagisto eCommerce Platform

Affected Versions Detail

Product
Affected Versions
Fixed Version
Bagisto
Bagisto
< 2.3.102.3.10
AttributeDetail
CWE IDCWE-1336
Attack VectorNetwork
CVSS v4.07.4
Privileges RequiredLow (Authenticated User)
Exploit StatusPoC Available
ImpactHigh (Confidentiality/Integrity)

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1059.007Command and Scripting Interpreter: JavaScript
Execution
CWE-1336
Template Injection

Improper Neutralization of Special Elements Used in a Template Engine

Known Exploits & Detection

ManualVendor advisory describing the CSTI vector via first_name field.

Vulnerability Timeline

Patch Commit Pushed
2026-04-12
GHSA Published
2026-04-15

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.