Path Traversal Vulnerability in Bagisto ImageCacheController
CVE-2026-9506

8.7HIGH

Key Information:

Vendor

Webkul

Status
Vendor
CVE Published:
8 June 2026

What is CVE-2026-9506?

A vulnerability in Bagisto's ImageCacheController component allows attackers to exploit improper validation of user-supplied input. By sending crafted path traversal sequences via the filename parameter, an unauthenticated remote attacker can gain unauthorized access to sensitive files outside the intended directory on the system. This exploitation can lead to significant security risks as it enables the reading of arbitrary files, including potentially sensitive information.

Affected Version(s)

Bagisto version v2.4.1

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This vulnerability is reported by Stalin S.
.