CVE-2026-21446

Name of the Vulnerable Software and Affected Versions Bagisto versions prior to 2.3.10

Description Bagisto, an open source Laravel eCommerce platform, has an issue where API routes remain active even after the initial installation is complete. The API endpoints (/install/api/*) are directly accessible and exploitable without authentication. This allows an unauthenticated attacker to bypass the installer and create admin accounts, modify application configurations, and potentially overwrite existing data.

Recommendations Update to version 2.3.10 or later.