CVE-2025-62416

Name of the Vulnerable Software and Affected Versions Bagisto versions prior to 2.3.8

Description Bagisto is susceptible to Server-Side Template Injection (SSTI) because user-provided input isn't properly sanitized when processing product descriptions with the server-side templating engine. An attacker with product creation permissions can inject template expressions that the backend evaluates, potentially leading to Remote Code Execution (RCE). The product description field is passed to the view without adequate sanitization or escaping, allowing user data to execute arbitrary template code. Successful exploitation could allow attackers to execute arbitrary PHP code or system commands, read sensitive environment variables, API keys, or database credentials, deface the application, establish persistence, or escalate privileges.

Recommendations Update to Bagisto version 2.3.8 or later.