Stored Cross-Site Scripting Vulnerability in Bagisto eCommerce Platform
CVE-2026-60120

5.1MEDIUM

Key Information:

Vendor

Bagisto

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-60120?

The Bagisto eCommerce platform prior to version 2.4.4 is susceptible to a stored cross-site scripting vulnerability due to inadequate template handling in the create.blade.php file. This flaw allows attackers to embed malicious JavaScript code by manipulating customer account registration fields. When an administrator accesses the Create Order page for an affected customer, the platform fails to neutralize the user-supplied input, enabling attackers to execute arbitrary scripts under the context of the admin’s browser, which poses significant security risks.

Affected Version(s)

bagisto 0

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Aaron Amran Bin Amiruddin
.