Bagisto · Bagisto · CVE-2026-21451
**Name of the Vulnerable Software and Affected Versions**
Bagisto versions prior to 2.3.10
**Description**
Bagisto, an open source laravel eCommerce platform, contains a stored Cross-Site Scripting (XSS) issue within the CMS page editor. The platform’s attempt to sanitize `<script>` tags can be bypassed by manipulating the raw HTTP POST request before submission. This allows arbitrary JavaScript to be stored in the CMS content and executed when the page is viewed or edited. This poses a high-severity risk to administrators, potentially leading to complete account takeover, backend hijacking, and malicious script execution. The vulnerability exists due to insufficient input validation when handling CMS page content.
**Recommendations**
Update to version 2.3.10 or later.