CVE-2025-60880

Name of the Vulnerable Software and Affected Versions Bagisto version 2.3.6

Description An authenticated stored Cross-Site Scripting (XSS) issue exists in the admin panel's product creation functionality. An attacker can upload a crafted SVG file containing malicious JavaScript code. This allows execution of arbitrary JavaScript in the browser of an authenticated admin user, potentially leading to session hijacking or data theft. The vulnerability is triggered when the malicious SVG file is rendered. The affected path is the product creation process within the admin panel.

Recommendations Update to a newer version that contains a fix for this vulnerability.