CVE-2025-62415

Name of the Vulnerable Software and Affected Versions Bagisto versions prior to 2.3.8

Description The TinyMCE image upload functionality in Bagisto allows an attacker with sufficient privileges to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. The application attempts to block HTML file uploads, but if the backend detects HTML or JavaScript content within a .png file, the file extension is automatically converted to .html. This allows the execution of JavaScript code when the HTML file is viewed. An attacker with upload privileges can target other admin users or editors who view the content, potentially leading to session hijacking, unauthorized actions, or privilege escalation.

Recommendations Update to Bagisto version 2.3.8 or later.