GHSA-mqhg-v22x-pqj8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mqhg-v22x-pqj8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-mqhg-v22x-pqj8/GHSA-mqhg-v22x-pqj8.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mqhg-v22x-pqj8
- Aliases
- Published
- 2026-01-02T22:51:40Z
- Modified
- 2026-01-08T21:43:21.194817Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 7.4 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- Bagisto is vulnerable to SSTI via name parameters provided by non-admin low-privilege users
- Details
-
Summary
SSTI is possible via first name and last name parameters provided by lowest-privileged users.
Details
- Go to
http://127.0.0.1:8000/and login or signup - Go to
http://127.0.0.1:8000/customer/account/profile - Now edit the first name and last name to {{7*7}}
- Notice it appears as 49
POC
- Video attached with the report: https://github.com/user-attachments/assets/f93932b5-2a57-4f34-897e-4151a5168912
Impact
This can lead to RCE, command injection.
- Go to
- Database specific
{ "nvd_published_at": "2026-01-02T21:16:02Z", "cwe_ids": [ "CWE-1336" ], "github_reviewed_at": "2026-01-02T22:51:40Z", "severity": "HIGH", "github_reviewed": true }- References
Affected packages
Packagist / bagisto/bagisto
Package
- Name
- bagisto/bagisto
- Purl
- pkg:composer/bagisto/bagisto
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.3.10
Affected versions
v0.*
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4-BETA1
v0.1.4-BETA2
v0.1.4-BETA3
v0.1.4-BETA4
v0.1.4
v0.1.5
v0.1.6-ALPHA1
v0.1.6
v0.1.7-BETA1
v0.1.7-BETA2
v0.1.7
v0.1.8
v0.1.9-BETA1
v0.1.9
v0.2.0
v0.2.1
v0.2.2
v1.*
v1.0.0-BETA1
v1.0.0
v1.1.0
v1.1.1
v1.1.2
v1.2.0-BETA1
v1.2.0
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.5.0
v1.5.1
v2.*
v2.0.0-BETA-1
v2.0.0
v2.1.0
v2.1.1
v2.1.2
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.2.9
v2.2.10
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9