7.4

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-21449

CVE-2026-21449: Bagisto has SSTI via first and last name from low-privilege user (not admin)

Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name from a low-privilege user. Version 2.3.10 fixes the issue.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-21449

CVE-2026-21449:

7.4

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
bagisto/bagisto	composer	< 2.3.10	2.3.10

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided patch commit reveals a Server-Side Template Injection (SSTI) vulnerability in Bagisto. The vulnerability is located in the customer profile page, where the first_name and last_name of a user are displayed.

The commit 4144931da0014c696f9126132ce44d7cfbdb2761 modifies the Blade template file packages/Webkul/Shop/src/Resources/views/customers/account/profile/index.blade.php. The patch replaces the direct rendering of customer names using {{ $customer->first_name }} and {{ $customer->last_name }} with the Vue.js directive v-text. The original code caused the Blade engine to evaluate the content of the first_name and last_name fields, leading to SSTI. The use of v-text ensures the data is treated as a plain string, mitigating the vulnerability.

Based on the file path and Laravel framework conventions, the template is rendered by the index method of the Webkul\Shop\Http\Controllers\Customer\ProfileController class. This function is the primary runtime indicator for the exploitation of the vulnerability, as its execution triggers the rendering of the malicious payload.

Additionally, the update method of the same controller is identified as part of the vulnerability chain. This method handles the submission of the user's profile data and is the entry point for injecting the SSTI payload into the application's database. Although not directly patched, it is a crucial component for a successful exploit.

Vulnerable functions

Webkul\Shop\Http\Controllers\Customer\ProfileController::index

packages/Webkul/Shop/src/Resources/views/customers/account/profile/index.blade.php

The vulnerability lies within the Blade template `index.blade.php`, which is rendered by the `index` method of the `ProfileController`. The template used `{{ $customer->first_name }}` and `{{ $customer->last_name }}` to display the customer's name. This allowed for Server-Side Template Injection (SSTI) because the content was evaluated by the Blade templating engine. An attacker could inject template syntax (e.g., `{{7*7}}`) into their first or last name, which would be executed on the server. The patch mitigates this by using Vue.js's `v-text` directive, which treats the input as a literal string and not as a template, preventing code execution.

Webkul\Shop\Http\Controllers\Customer\ProfileController::update

packages/Webkul/Shop/src/Http/Controllers/Customer/ProfileController.php

The `update` method in the `ProfileController` is responsible for processing and saving the user's profile data, including the `first_name` and `last_name` fields. This method accepts user input and persists it to the database without sanitizing it against template injection. While the vulnerability is triggered during rendering (by the `index` method), this `update` method is the entry point for the malicious payload. An attacker would use the endpoint handled by this method to save their SSTI payload.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-21449: Bagisto has SSTI via first and last name from low-privilege user (not admin)

CVE-2026-21449:

7.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2026-21449: Bagisto has SSTI via first and last name from low-privilege user (not admin)

Basic Information

Basic Information

7.4

7.4

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI