Main Vulnerability Database Vulnerabilities #VU127916

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Bagisto - CVE-2026-21451

Published: April 25, 2026

Vulnerability identifier: #VU127916

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-21451

CWE-ID: CWE-80

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Webkul Software Pvt. Ltd.

Affected software:
Bagisto

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in an administrator's browser.

The vulnerability exists due to improper neutralization of script-related html tags in the CMS page editor when handling a modified CMS update HTTP request. A remote user can submit a specially crafted CMS update request to execute arbitrary script in an administrator's browser.

User interaction is required when an administrator views or edits the affected CMS page.

How to mitigate CVE-2026-21451

Install security update from vendor's website.

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Bagisto - CVE-2026-21451

Detailed vulnerability description

How to mitigate CVE-2026-21451

Sources

Please verify you're human