GHSA-5j4h-4f72-qpm6

Source

https://github.com/advisories/GHSA-5j4h-4f72-qpm6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-5j4h-4f72-qpm6/GHSA-5j4h-4f72-qpm6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5j4h-4f72-qpm6

Aliases

CVE-2026-21448

Published

2026-01-02T22:13:40Z

Modified

2026-01-08T21:44:51.965073Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

Bagisto has Normal & Blind SSTI from low-privilege user when ordering product

Details

Summary

SSTI when normal customer orders any product in add address step can inject value run in admin view.

Details

As normal user 1. Go to http://127.0.0.1:8000/ 2. Add order to cart and continue to checkout 3. In step of add address inject this value {{7*7}} in any input

As admin 1. Go to http://127.0.0.1:8000/admin/sales/orders 2. And notice the vlaue appear in admin view 49

As normal user 3. Go to add address normally http://127.0.0.1:8000/customer/account/addresses/create and inject {{7*7}} on it and will notice it appear 49 <img width="1868" height="868" alt="image" src="https://github.com/user-attachments/assets/279627e9-6361-4d39-a500-0fc20e163d25" />

PoC

Video attached with the report: https://github.com/user-attachments/assets/a814b30c-a3e2-4a40-8644-336e21e60d0d

Impact

Can lead to RCE

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-02T22:13:40Z",
    "severity": "HIGH",
    "nvd_published_at": "2026-01-02T21:15:59Z",
    "cwe_ids": [
        "CWE-1336"
    ]
}

References

Affected packages

Packagist / bagisto/bagisto

Package

Name: bagisto/bagisto
Purl: pkg:composer/bagisto/bagisto

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.10

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4-BETA1

v0.1.4-BETA2

v0.1.4-BETA3

v0.1.4-BETA4

v0.1.4

v0.1.5

v0.1.6-ALPHA1

v0.1.6

v0.1.7-BETA1

v0.1.7-BETA2

v0.1.7

v0.1.8

v0.1.9-BETA1

v0.1.9

v0.2.0

v0.2.1

v0.2.2

v1.*

v1.0.0-BETA1

v1.0.0

v1.1.0

v1.1.1

v1.1.2

v1.2.0-BETA1

v1.2.0

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.5.0

v1.5.1

v2.*

v2.0.0-BETA-1

v2.0.0

v2.1.0

v2.1.1

v2.1.2

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.2.6

v2.2.7

v2.2.8

v2.2.9

v2.2.10

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-5j4h-4f72-qpm6/GHSA-5j4h-4f72-qpm6.json"