CVE-2026-21450
7.30.04%
Shopping for Shells: Bagisto Reporting SSTI to RCE
Amit Schendel
Senior Security ResearcherJan 2, 2026·5 min read·3 visits
PoC Available
Executive Summary (TL;DR)
Bagisto versions prior to 2.3.10 contain a logic flaw in how reporting metrics are rendered. By manipulating the 'type' parameter in the URL, an authenticated attacker (admin) can inject Laravel Blade syntax, leading to Remote Code Execution (RCE).
A critical Server-Side Template Injection (SSTI) vulnerability in the Bagisto eCommerce platform allows authenticated administrators to execute arbitrary code via the Reporting module.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
7.3/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:PEPSS Probability
0.04%
Top 100% most exploited
2,500
Estimated exposed hosts via Shodan
Affected Systems
Bagisto eCommerce < 2.3.10
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Bagisto Webkul | < 2.3.10 | 2.3.10 |
| Attribute | Detail |
|---|---|
| CWE | CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine) |
| CVSS 4.0 | 7.3 (High) |
| Attack Vector | Network |
| Privileges | High (Admin) |
| Exploit Status | PoC Available |
| Impact | Remote Code Execution (RCE) |
MITRE ATT&CK Mapping
CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine
The application allows user input to control the template syntax that is rendered, enabling the injection of malicious directives.
Known Exploits & Detection
Vulnerability Timeline
Vendor releases fix in commit 3f294b4
2025-12-24
CVE-2026-21450 Assigned
2026-01-02
Public Advisory Published
2026-01-02