PT-2026-6370 — Packagist Bagisto/Bagisto

PT-2026-6370 · Packagist · Bagisto/Bagisto

Published

2026-01-02

Updated

2026-01-02

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

SSTI when normal customer orders any product in add address step can inject value run in admin view.

Details

As normal user

Go to http://127.0.0.1:8000/
Add order to cart and continue to checkout
In step of add address inject this value {{7*7}} in any input

As admin

Go to http://127.0.0.1:8000/admin/sales/orders
And notice the vlaue appear in admin view 49

As normal user 3. Go to add address normally http://127.0.0.1:8000/customer/account/addresses/create and inject {{7*7}} on it and will notice it appear 49

PoC

Video attached with the report: https://github.com/user-attachments/assets/a814b30c-a3e2-4a40-8644-336e21e60d0d

Impact

Can lead to RCE

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1336

Related Identifiers

GHSA-5J4H-4F72-QPM6

Affected Products

Bagisto/Bagisto