SB20260425207 - Multiple vulnerabilities in Bagisto

Description

This security bulletin contains information about 6 vulnerabilities.

1) Missing Authentication for Critical Function (CVE-ID: CVE-2026-21446)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to create administrative accounts and modify application configuration.

The vulnerability exists due to improper access control in installer API endpoints when handling direct requests to /install/api/* after installation is complete. A remote attacker can send a specially crafted request to create administrative accounts and modify application configuration.

The installer UI protections can be bypassed by directly invoking the API endpoints, and no CSRF token or session is required.

2) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-21447)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive purchase information.

The vulnerability exists due to improper access control in the customer order reorder function in OrderController.php when handling reorder requests with a user-controlled order ID parameter. A remote user can manipulate the order ID parameter to add items from another customer's order to their own shopping cart and disclose sensitive purchase information.

The issue affects the reorder route and does not require user interaction.

3) Improper Neutralization of Special Elements Used in a Template Engine (CVE-ID: CVE-2026-21448)

CWE-ID: CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to server-side template injection in the checkout address handling and customer address creation functionality when processing user-supplied address input. A remote user can inject a crafted template expression to execute arbitrary code.

Injected input is rendered in the admin order view, and the issue is also reachable through customer address creation.

4) Improper Neutralization of Special Elements Used in a Template Engine (CVE-ID: CVE-2026-21449)

CWE-ID: CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to server-side template injection in the first name and last name profile fields when processing profile updates. A remote user can submit crafted template expressions to execute arbitrary code.

5) Improper Neutralization of Special Elements Used in a Template Engine (CVE-ID: CVE-2026-21450)

CWE-ID: CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to server-side template injection in the reporting products view endpoint when processing the type parameter. A remote user can send a specially crafted request to execute arbitrary code.

6) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2026-21451)

CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary script in an administrator's browser.

The vulnerability exists due to improper neutralization of script-related html tags in the CMS page editor when handling a modified CMS update HTTP request. A remote user can submit a specially crafted CMS update request to execute arbitrary script in an administrator's browser.

User interaction is required when an administrator views or edits the affected CMS page.

Remediation

Install update from vendor's website.

References

• https://github.com/bagisto/bagisto/security/advisories/GHSA-6h7w-v2xr-mqvw
• https://github.com/bagisto/bagisto/security/advisories/GHSA-x5rw-qvvp-5cgm
• https://github.com/advisories/GHSA-x5rw-qvvp-5cgm
• https://github.com/bagisto/bagisto/security/advisories/GHSA-5j4h-4f72-qpm6
• https://github.com/advisories/GHSA-5j4h-4f72-qpm6
• https://github.com/bagisto/bagisto/security/advisories/GHSA-mqhg-v22x-pqj8
• https://github.com/advisories/GHSA-mqhg-v22x-pqj8
• https://github.com/bagisto/bagisto/security/advisories/GHSA-9hvg-qw5q-wqwp
• https://github.com/advisories/GHSA-9hvg-qw5q-wqwp
• https://github.com/bagisto/bagisto/security/advisories/GHSA-2mwc-h2mg-v6p8
• https://github.com/advisories/GHSA-2mwc-h2mg-v6p8