Stored Cross-Site Scripting Vulnerability in Bagisto eCommerce Platform
CVE-2026-60120
5.1MEDIUM
What is CVE-2026-60120?
The Bagisto eCommerce platform prior to version 2.4.4 is susceptible to a stored cross-site scripting vulnerability due to inadequate template handling in the create.blade.php file. This flaw allows attackers to embed malicious JavaScript code by manipulating customer account registration fields. When an administrator accesses the Create Order page for an affected customer, the platform fails to neutralize the user-supplied input, enabling attackers to execute arbitrary scripts under the context of the admin’s browser, which poses significant security risks.
Affected Version(s)
bagisto 0
