CVE-2025-60880

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-60880
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-60880.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-60880
Aliases
Published
2025-10-10T19:15:38.090Z
Modified
2026-04-10T05:32:30.104585Z
Severity
  • 8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:H CVSS Calculator
Summary
[none]
Details

An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.

References

Affected packages

Git / github.com/bagisto/bagisto

Affected ranges

Type
GIT
Repo
https://github.com/bagisto/bagisto
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
c5dd6cea74852a56967af0dba7ef4860fabe7710
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.3.6"
        }
    ]
}

Affected versions

1.*
1.4.0
v0.*
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.4-BETA1
v0.1.4-BETA2
v0.1.4-BETA3
v0.1.4-BETA4
v0.1.5
v0.1.6-ALPHA1
v0.1.7
v0.1.8
v1.*
v1.0.0
v1.0.0-BETA1
v1.1.0
v1.1.1
v1.1.2
v1.2.0
v1.2.0-BETA1
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.5.0
v2.*
v2.0.0
v2.0.0-BETA-1
v2.1.0
v2.1.1
v2.1.2
v2.2.0
v2.2.1
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-60880.json"