PT-2026-6405 · Packagist · Bagisto/Bagisto

Published

2026-01-02

·

Updated

2026-01-02

CVSS v4.0

7.3

High

VectorAV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Summary

SSTI is possible in Bagisto via type parameter can lead to RCE and other exploitations.

Details

  1. Go to http://127.0.0.1:8000/admin/reporting/products/view?type={{7*7}}
image

Impact

Can lead to RCE, command injection.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-1336

Related Identifiers

GHSA-9HVG-QW5Q-WQWP

Affected Products

Bagisto/Bagisto