CVE-2026-21450

Shopping for Shells: Bagisto Reporting SSTI to RCE

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 2, 2026·5 min read·2 visits

Executive Summary (TL;DR)

Bagisto versions prior to 2.3.10 contain a logic flaw in how reporting metrics are rendered. By manipulating the 'type' parameter in the URL, an authenticated attacker (admin) can inject Laravel Blade syntax, leading to Remote Code Execution (RCE).

A critical Server-Side Template Injection (SSTI) vulnerability in the Bagisto eCommerce platform allows authenticated administrators to execute arbitrary code via the Reporting module.

Official Patches

BagistoCommit 3f294b4 fixing the SSTI vulnerability

Fix Analysis (1)

Technical Appendix

CVSS Score
7.3/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
EPSS Probability
0.04%
Top 100% most exploited
2,500
via Shodan

Affected Systems

Bagisto eCommerce < 2.3.10

Affected Versions Detail

Product
Affected Versions
Fixed Version
Bagisto
Webkul
< 2.3.102.3.10
AttributeDetail
CWECWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine)
CVSS 4.07.3 (High)
Attack VectorNetwork
PrivilegesHigh (Admin)
Exploit StatusPoC Available
ImpactRemote Code Execution (RCE)

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1210Exploitation of Remote Services
Lateral Movement
T1059.003Command and Scripting Interpreter: Windows Command Shell
Execution
CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine

The application allows user input to control the template syntax that is rendered, enabling the injection of malicious directives.

Known Exploits & Detection

GitHub AdvisoryAdvisory containing PoC details for SSTI
NucleiDetection Template Available

Vulnerability Timeline

Vendor releases fix in commit 3f294b4
2025-12-24
CVE-2026-21450 Assigned
2026-01-02
Public Advisory Published
2026-01-02