Path Traversal Vulnerability in Bagisto
CVE-2026-9506

8.7HIGH

Key Information:

Vendor: Webkul
Status: Bagisto
Vendor: CVE Published:; 8 June 2026

What is CVE-2026-9506?

This vulnerability exists in Bagisto due to improper validation of user-supplied input in the ImageCacheController component. An unauthenticated remote attacker could exploit this vulnerability by sending crafted path traversal sequences through the filename parameter to access arbitrary files outside the intended directory on the targeted system.

Successful exploitation of this vulnerability could allow an attacker to read arbitrary sensitive files on the targeted system.

Affected Version(s)

Bagisto version v2.4.1

References

https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOT...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 8, 2026
Vulnerability Reserved
May 25, 2026

Credit

This vulnerability is reported by Stalin S.

CVE-2026-9506 Data

JSON

Webkul

What is CVE-2026-9506?

Affected Version(s)

References

CVSS V4

Timeline

Credit