GHSA-9hvg-qw5q-wqwp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9hvg-qw5q-wqwp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-9hvg-qw5q-wqwp/GHSA-9hvg-qw5q-wqwp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9hvg-qw5q-wqwp
- Published
- 2026-01-02T21:56:00Z
- Modified
- 2026-01-02T22:33:36.506895Z
- Severity
-
- 7.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- Bagisto SSTI vulnerability in type parameter can lead to RCE
- Details
-
Summary
SSTI is possible in Bagisto via type parameter can lead to RCE and other exploitations.
Details
- Go to
http://127.0.0.1:8000/admin/reporting/products/view?type={{7*7}}
<img width="1251" height="282" alt="image" src="https://github.com/user-attachments/assets/652e96f4-631e-4322-8561-63f4d897a480" />
Impact
Can lead to RCE, command injection.
- Go to
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-01-02T21:56:00Z", "severity": "HIGH", "nvd_published_at": "2026-01-02T21:16:02Z", "cwe_ids": [ "CWE-1336" ] }- References
Affected packages
Packagist / bagisto/bagisto
Package
- Name
- bagisto/bagisto
- Purl
- pkg:composer/bagisto/bagisto
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.3.10
Affected versions
v0.*
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4-BETA1
v0.1.4-BETA2
v0.1.4-BETA3
v0.1.4-BETA4
v0.1.4
v0.1.5
v0.1.6-ALPHA1
v0.1.6
v0.1.7-BETA1
v0.1.7-BETA2
v0.1.7
v0.1.8
v0.1.9-BETA1
v0.1.9
v0.2.0
v0.2.1
v0.2.2
v1.*
v1.0.0-BETA1
v1.0.0
v1.1.0
v1.1.1
v1.1.2
v1.2.0-BETA1
v1.2.0
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.5.0
v1.5.1
v2.*
v2.0.0-BETA-1
v2.0.0
v2.1.0
v2.1.1
v2.1.2
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.2.9
v2.2.10
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9