CVE-2025-62418

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-62418

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62418.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-62418

Aliases

GHSA-fg89-g389-p346

Published

2025-10-16T18:35:06.105Z

Modified

2026-04-10T05:33:02.256906Z

Severity

6.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N CVSS Calculator

Summary

bagisto - Cross Site Scripting (XSS) in TinyMCE Image Upload (SVG)

Details

Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. This vulnerability is fixed in 2.3.8.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62418.json",
    "cwe_ids": [
        "CWE-80",
        "CWE-87"
    ]
}

References

Affected packages

Git / github.com/bagisto/bagisto

Affected ranges

Type: GIT
Repo: https://github.com/bagisto/bagisto
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

2886bcc0cd665116b7482f81d1ee87194f01702f

Affected versions

1.*

1.4.0

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4

v0.1.4-BETA1

v0.1.4-BETA2

v0.1.4-BETA3

v0.1.4-BETA4

v0.1.5

v0.1.6-ALPHA1

v0.1.7

v0.1.8

v1.*

v1.0.0

v1.0.0-BETA1

v1.1.0

v1.1.1

v1.1.2

v1.2.0

v1.2.0-BETA1

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.5.0

v2.*

v2.0.0

v2.0.0-BETA-1

v2.1.0

v2.1.1

v2.1.2

v2.2.0

v2.2.1

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62418.json"