5.2

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-21451

CVE-2026-21451: Bagisto has HTML Filter Bypass that Enables Stored XSS

Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize <script> tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be stored in the CMS content and executed whenever the page is viewed or edited. This exposes administrators to a high-severity risk, including complete account takeover, backend hijacking, and malicious script execution. Version 2.3.10 fixes the issue.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-21451

CVE-2026-21451:

5.2

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
bagisto/bagisto	composer	< 2.3.10	2.3.10

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis is based on the commit f533b1cd9c80896792da60976179c95573d78b79, which was provided as a reference for the vulnerability. The vulnerability description highlights a stored XSS in the CMS page editor. However, the patch in the provided commit addresses a stored XSS vulnerability in the product review attachments feature, not the CMS editor. The commit modifies the upload function within the ProductReviewAttachmentRepository to add sanitization for SVG files. Before this change, the lack of sanitization made the upload function vulnerable. While the root cause is similar (insufficient server-side sanitization), the affected component in the patch is different from the one in the description. This analysis focuses on the concrete evidence from the provided patch.

Vulnerable functions

Webkul\Product\Repositories\ProductReviewAttachmentRepository::upload

packages/Webkul/Product/src/Repositories/ProductReviewAttachmentRepository.php

The `upload` function is responsible for handling file attachments for product reviews. Prior to the patch, the function directly stored uploaded files without any sanitization. This allowed for a stored XSS vulnerability, as an attacker could upload a malicious SVG file with embedded JavaScript. The script would then execute in the browser of any user viewing the product review. The patch mitigates this by introducing a call to `sanitizeSVG` before creating the attachment record.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-21451: Bagisto has HTML Filter Bypass that Enables Stored XSS

CVE-2026-21451:

5.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

5.2

5.2

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2026-21451: Bagisto has HTML Filter Bypass that Enables Stored XSS

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI