๐Ÿ” CVE Alert

CVE-2026-60120

MEDIUM 5.4

Bagisto < 2.4.4 Stored XSS via CSTI in create.blade.php

CVSS Score
5.4
EPSS Score
0.2%
EPSS Percentile
10th

Bagisto before 2.4.4 contains a stored cross-site scripting vulnerability via client-side template injection that allows unauthenticated attackers to execute arbitrary JavaScript in administrator browsers by registering a customer account with malicious payload in the first or last name field. The create.blade.php template renders customer name fields without the Vue.js v-pre directive, causing Vue.js to evaluate stored template expressions as live JavaScript when an administrator opens the Create Order page for the affected customer.

CWE CWE-79
Vendor webkul
Product bagisto
Published Jul 9, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for webkul bagisto

Be the first to know when new medium vulnerabilities affecting webkul bagisto are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
Low

Affected Versions

Webkul / Bagisto
0 < 2.4.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/bagisto/bagisto/releases/tag/v2.4.4 github.com: https://github.com/bagisto/bagisto/commit/49d0c3fc90dedf8782c45c5979df4f4595d6bb97 vulncheck.com: https://www.vulncheck.com/advisories/bagisto-stored-xss-via-csti-in-create-blade-php

Credits

Aaron Amran Bin Amiruddin