CVE-2026-9506

UNKNOWN 0.0

Path Traversal Vulnerability in Bagisto

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

This vulnerability exists in Bagisto due to improper validation of user-supplied input in the ImageCacheController component. An unauthenticated remote attacker could exploit this vulnerability by sending crafted path traversal sequences through the filename parameter to access arbitrary files outside the intended directory on the targeted system. Successful exploitation of this vulnerability could allow an attacker to read arbitrary sensitive files on the targeted system.

CWE	CWE-22
Vendor	webkul
Product	bagisto
Published	Jun 8, 2026
Last Updated	Jun 8, 2026

Stay Ahead of the Next One

Get instant alerts for webkul bagisto

Be the first to know when new unknown vulnerabilities affecting webkul bagisto are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Webkul / Bagisto

version v2.4.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cert-in.org.in: https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0292

Credits

This vulnerability is reported by Stalin S.