Summary
A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto 2.3.8 within the CMS page editor. Although the platform normally attempts to sanitize <script> tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be stored in the CMS content and executed whenever the page is viewed or edited.
This exposes administrators to a high-severity risk, including complete account takeover, backend hijacking, and malicious script execution.
Details
Bagisto’s CMS editor includes an HTML sanitation mechanism intended to protect against script injection by wrapping raw script content in <div> elements. However, this mechanism is applied only to requests submitted through the UI. When the CMS update request is intercepted and modified at the HTTP level, the sanitation layer fails to strip or encode embedded <script> tags.
Because the back-end trusts the manipulated request, the malicious script is stored in the database exactly as submitted. When an administrator opens the CMS page (either in the editor or in the storefront), the JavaScript executes in the browser context with full admin privileges.
The vulnerability stems from insufficient server-side sanitization.
Sanitization logic appears to rely on client-side or UI-layer controls, leaving the underlying HTTP endpoint unprotected.
PoC
- A Bagisto 2.3.8 installation with access to the admin panel
- Ability to intercept and modify outgoing CMS update requests (e.g., via a proxy tool)
- Editing any CMS page (such as /admin/cms/edit/{id})
By introducing unfiltered script content directly into the HTTP payload; bypassing the UI-level sanitization the CMS endpoint accepts and stores the malicious JS.
Steps to Reproduce
- Log in as admin
- Navigate to: /admin/cms/edit/1
- Intercept the request (e.g., using Burp Suite)
- Modify the en[html_content] field to include raw JavaScript:
A video PoC has been prepared showing:
- Normal CMS editing behavior
- How the sanitation process is expected to work
- How altering the raw request bypasses sanitization
- Execution of the stored script once the page is loaded
This helps illustrate both expected behavior and actual vulnerability behavior clearly.
Video PoC: https://drive.google.com/file/d/1quGkBq1zwRhVrlJtVeDk9iQeUzqIyOM-/view
Recommendations
Implement server-side sanitization (e.g., HTMLPurifier or Laravel Purifier) to strip or encode
Impact
- Administrator account takeover
- Session hijacking
- Unauthorized actions performed in admin context
- Defacement or injection of malicious content into public pages
- Potential expansion into full application compromise
Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-21451? CVE-2026-21451 is a medium-severity cross-site scripting (XSS) vulnerability in bagisto/bagisto (composer), affecting versions < 2.3.10. It is fixed in 2.3.10. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
- Which versions of bagisto/bagisto are affected by CVE-2026-21451? bagisto/bagisto (composer) versions < 2.3.10 is affected.
- Is there a fix for CVE-2026-21451? Yes. CVE-2026-21451 is fixed in 2.3.10. Upgrade to this version or later.
- Is CVE-2026-21451 exploitable, and should I be worried? Whether CVE-2026-21451 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-21451 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-21451? Upgrade
bagisto/bagistoto 2.3.10 or later.