CVE-2025-62418

Name of the Vulnerable Software and Affected Versions Bagisto versions prior to 2.3.8 Bagisto version 2.3.7

Description The TinyMCE image upload functionality allows an attacker with sufficient privileges to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. The underlying issue is a lack of sanitization of SVG files, allowing potentially unsafe content like scripts and event handlers to run when the SVG is rendered or embedded. The application does not validate the file content or strip potentially harmful tags. This could lead to session hijacking, unauthorized actions, or privilege escalation if an attacker successfully targets admin users or editors who view the affected content.

Recommendations Update to Bagisto version 2.3.8 or later.