{"url":"http://public2.vulnerablecode.io/api/packages/36477?format=json","purl":"pkg:composer/bagisto/bagisto@2.3.0","type":"composer","namespace":"bagisto","name":"bagisto","version":"2.3.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.3.16","latest_non_vulnerable_version":"2.3.16","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74215?format=json","vulnerability_id":"VCID-3832-hae8-gbgz","summary":"Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21450","reference_id":"","reference_type":"","scores":[{"value":"0.0062","scoring_system":"epss","scoring_elements":"0.7053","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21450"},{"reference_url":"https://github.com/bagisto/bagisto","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bagisto/bagisto"},{"reference_url":"https://github.com/bagisto/bagisto/commit/3f294b4837595929107d9c1bbd6d5b1222ef9fea","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bagisto/bagisto/commit/3f294b4837595929107d9c1bbd6d5b1222ef9fea"},{"reference_url":"https://github.com/bagisto/bagisto/releases/tag/v2.3.10","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bagisto/bagisto/releases/tag/v2.3.10"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21450","reference_id":"CVE-2026-21450","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21450"},{"reference_url":"https://github.com/advisories/GHSA-9hvg-qw5q-wqwp","reference_id":"GHSA-9hvg-qw5q-wqwp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9hvg-qw5q-wqwp"},{"reference_url":"https://github.com/bagisto/bagisto/security/advisories/GHSA-9hvg-qw5q-wqwp","reference_id":"GHSA-9hvg-qw5q-wqwp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-02T21:24:20Z/"}],"url":"https://github.com/bagisto/bagisto/security/advisories/GHSA-9hvg-qw5q-wqwp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36478?format=json","purl":"pkg:composer/bagisto/bagisto@2.3.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dnjc-zctj-ykeb"},{"vulnerability":"VCID-qy4n-aj4s-wbfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bagisto/bagisto@2.3.10"}],"aliases":["CVE-2026-21450","GHSA-9hvg-qw5q-wqwp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3832-hae8-gbgz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/102693?format=json","vulnerability_id":"VCID-8qb6-sqe9-nqfn","summary":"Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. This vulnerability is fixed in 2.3.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62418","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11194","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62418"},{"reference_url":"https://github.com/bagisto/bagisto","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bagisto/bagisto"},{"reference_url":"https://github.com/bagisto/bagisto/commit/7b6b1dd639a14e7053bb82ef2f971c1f533fdfab","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bagisto/bagisto/commit/7b6b1dd639a14e7053bb82ef2f971c1f533fdfab"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62418","reference_id":"CVE-2025-62418","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62418"},{"reference_url":"https://github.com/advisories/GHSA-fg89-g389-p346","reference_id":"GHSA-fg89-g389-p346","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fg89-g389-p346"},{"reference_url":"https://github.com/bagisto/bagisto/security/advisories/GHSA-fg89-g389-p346","reference_id":"GHSA-fg89-g389-p346","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-17T14:31:17Z/"}],"url":"https://github.com/bagisto/bagisto/security/advisories/GHSA-fg89-g389-p346"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34535?format=json","purl":"pkg:composer/bagisto/bagisto@2.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3832-hae8-gbgz"},{"vulnerability":"VCID-8w62-gx4s-rbev"},{"vulnerability":"VCID-d39t-m729-kuch"},{"vulnerability":"VCID-dnjc-zctj-ykeb"},{"vulnerability":"VCID-e4u7-qs71-byha"},{"vulnerability":"VCID-g4nr-us8e-wyf5"},{"vulnerability":"VCID-h6aw-uj8r-87fu"},{"vulnerability":"VCID-qy4n-aj4s-wbfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bagisto/bagisto@2.3.8"}],"aliases":["CVE-2025-62418","GHSA-fg89-g389-p346"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8qb6-sqe9-nqfn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74317?format=json","vulnerability_id":"VCID-8w62-gx4s-rbev","summary":"Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21447","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02614","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21447"},{"reference_url":"https://github.com/bagisto/bagisto","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bagisto/bagisto"},{"reference_url":"https://github.com/bagisto/bagisto/commit/b2b1cf62577245d03a68532478cffbe321df74d3","reference_id":"b2b1cf62577245d03a68532478cffbe321df74d3","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-02T21:30:27Z/"}],"url":"https://github.com/bagisto/bagisto/commit/b2b1cf62577245d03a68532478cffbe321df74d3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21447","reference_id":"CVE-2026-21447","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21447"},{"reference_url":"https://github.com/advisories/GHSA-x5rw-qvvp-5cgm","reference_id":"GHSA-x5rw-qvvp-5cgm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x5rw-qvvp-5cgm"},{"reference_url":"https://github.com/bagisto/bagisto/security/advisories/GHSA-x5rw-qvvp-5cgm","reference_id":"GHSA-x5rw-qvvp-5cgm","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-02T21:30:27Z/"}],"url":"https://github.com/bagisto/bagisto/security/advisories/GHSA-x5rw-qvvp-5cgm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36478?format=json","purl":"pkg:composer/bagisto/bagisto@2.3.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dnjc-zctj-ykeb"},{"vulnerability":"VCID-qy4n-aj4s-wbfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bagisto/bagisto@2.3.10"}],"aliases":["CVE-2026-21447","GHSA-x5rw-qvvp-5cgm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8w62-gx4s-rbev"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/102527?format=json","vulnerability_id":"VCID-9tsa-majs-zkgt","summary":"Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to Cross-Site Scripting (XSS). An attacker with access to the admin create-customer form can inject malicious JavaScript payloads into certain input fields. These payloads may later execute in the context of an admin’s browser or another user viewing the customer data, enabling session theft or admin-level actions. This vulnerability is fixed in 2.3.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62414","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11194","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62414"},{"reference_url":"https://github.com/bagisto/bagisto","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bagisto/bagisto"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62414","reference_id":"CVE-2025-62414","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62414"},{"reference_url":"https://github.com/advisories/GHSA-r9xj-mvqf-jm7w","reference_id":"GHSA-r9xj-mvqf-jm7w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r9xj-mvqf-jm7w"},{"reference_url":"https://github.com/bagisto/bagisto/security/advisories/GHSA-r9xj-mvqf-jm7w","reference_id":"GHSA-r9xj-mvqf-jm7w","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-17T14:31:52Z/"}],"url":"https://github.com/bagisto/bagisto/security/advisories/GHSA-r9xj-mvqf-jm7w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34535?format=json","purl":"pkg:composer/bagisto/bagisto@2.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3832-hae8-gbgz"},{"vulnerability":"VCID-8w62-gx4s-rbev"},{"vulnerability":"VCID-d39t-m729-kuch"},{"vulnerability":"VCID-dnjc-zctj-ykeb"},{"vulnerability":"VCID-e4u7-qs71-byha"},{"vulnerability":"VCID-g4nr-us8e-wyf5"},{"vulnerability":"VCID-h6aw-uj8r-87fu"},{"vulnerability":"VCID-qy4n-aj4s-wbfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bagisto/bagisto@2.3.8"}],"aliases":["CVE-2025-62414","GHSA-r9xj-mvqf-jm7w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9tsa-majs-zkgt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/102977?format=json","vulnerability_id":"VCID-asdb-7eey-s3ar","summary":"Bagisto is an open source laravel eCommerce platform. When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as a formula. This allows an attacker to supply a CSV field (e.g., product name) that contains a formula which may be evaluated by a victim’s spreadsheet application — potentially leading to data exfiltration and remote command execution (via older Excel exploits / OLE/cmd constructs or Excel macros). This vulnerability is fixed in 2.3.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62417","reference_id":"","reference_type":"","scores":[{"value":"0.00173","scoring_system":"epss","scoring_elements":"0.38502","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62417"},{"reference_url":"https://github.com/bagisto/bagisto","reference_id":"","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bagisto/bagisto"},{"reference_url":"https://github.com/bagisto/bagisto/commit/8076c708498a0187bc952d5f5f705e0cb1919682","reference_id":"","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bagisto/bagisto/commit/8076c708498a0187bc952d5f5f705e0cb1919682"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62417","reference_id":"CVE-2025-62417","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62417"},{"reference_url":"https://github.com/advisories/GHSA-jqrp-58fv-w8cq","reference_id":"GHSA-jqrp-58fv-w8cq","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jqrp-58fv-w8cq"},{"reference_url":"https://github.com/bagisto/bagisto/security/advisories/GHSA-jqrp-58fv-w8cq","reference_id":"GHSA-jqrp-58fv-w8cq","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-10-17T14:32:45Z/"}],"url":"https://github.com/bagisto/bagisto/security/advisories/GHSA-jqrp-58fv-w8cq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34535?format=json","purl":"pkg:composer/bagisto/bagisto@2.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3832-hae8-gbgz"},{"vulnerability":"VCID-8w62-gx4s-rbev"},{"vulnerability":"VCID-d39t-m729-kuch"},{"vulnerability":"VCID-dnjc-zctj-ykeb"},{"vulnerability":"VCID-e4u7-qs71-byha"},{"vulnerability":"VCID-g4nr-us8e-wyf5"},{"vulnerability":"VCID-h6aw-uj8r-87fu"},{"vulnerability":"VCID-qy4n-aj4s-wbfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bagisto/bagisto@2.3.8"}],"aliases":["CVE-2025-62417","GHSA-jqrp-58fv-w8cq"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-asdb-7eey-s3ar"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74528?format=json","vulnerability_id":"VCID-d39t-m729-kuch","summary":"Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the `add address` step they can inject a value to run in admin view. The issue can lead to remote code execution. Version 2.3.10 contains a patch.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21448","reference_id":"","reference_type":"","scores":[{"value":"0.00177","scoring_system":"epss","scoring_elements":"0.39071","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21448"},{"reference_url":"https://github.com/bagisto/bagisto","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bagisto/bagisto"},{"reference_url":"https://github.com/bagisto/bagisto/releases/tag/v2.3.10","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bagisto/bagisto/releases/tag/v2.3.10"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21448","reference_id":"CVE-2026-21448","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21448"},{"reference_url":"https://github.com/advisories/GHSA-5j4h-4f72-qpm6","reference_id":"GHSA-5j4h-4f72-qpm6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5j4h-4f72-qpm6"},{"reference_url":"https://github.com/bagisto/bagisto/security/advisories/GHSA-5j4h-4f72-qpm6","reference_id":"GHSA-5j4h-4f72-qpm6","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-02T21:29:24Z/"}],"url":"https://github.com/bagisto/bagisto/security/advisories/GHSA-5j4h-4f72-qpm6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36478?format=json","purl":"pkg:composer/bagisto/bagisto@2.3.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dnjc-zctj-ykeb"},{"vulnerability":"VCID-qy4n-aj4s-wbfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bagisto/bagisto@2.3.10"}],"aliases":["CVE-2026-21448","GHSA-5j4h-4f72-qpm6"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d39t-m729-kuch"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/75680?format=json","vulnerability_id":"VCID-dnjc-zctj-ykeb","summary":"A vulnerability was determined in Bagisto up to 2.3.15. Affected by this vulnerability is an unknown functionality of the component Custom Scripts Handler. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure and explains: \"We already replied on the github advisories. All the security issues are addressed through security advisory. We will fix this in our upcomming releases.\"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-6745","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.1037","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-6745"},{"reference_url":"https://github.com/bagisto/bagisto","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bagisto/bagisto"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6745","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6745"},{"reference_url":"https://drive.google.com/drive/folders/10p6SYcSVyfaaTg_dgItzMJvqixcmKnHR?usp=sharing","reference_id":"10p6SYcSVyfaaTg_dgItzMJvqixcmKnHR?usp=sharing","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:C"},{"value":"3.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T18:45:00Z/"}],"url":"https://drive.google.com/drive/folders/10p6SYcSVyfaaTg_dgItzMJvqixcmKnHR?usp=sharing"},{"reference_url":"https://vuldb.com/vuln/358436","reference_id":"358436","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:C"},{"value":"3.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T18:45:00Z/"}],"url":"https://vuldb.com/vuln/358436"},{"reference_url":"https://vuldb.com/submit/794681","reference_id":"794681","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:C"},{"value":"3.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T18:45:00Z/"}],"url":"https://vuldb.com/submit/794681"},{"reference_url":"https://vuldb.com/vuln/358436/cti","reference_id":"cti","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:C"},{"value":"3.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T18:45:00Z/"}],"url":"https://vuldb.com/vuln/358436/cti"},{"reference_url":"https://github.com/advisories/GHSA-65fp-7g2v-658r","reference_id":"GHSA-65fp-7g2v-658r","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-65fp-7g2v-658r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1023460?format=json","purl":"pkg:composer/bagisto/bagisto@2.3.16","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bagisto/bagisto@2.3.16"}],"aliases":["CVE-2026-6745","GHSA-65fp-7g2v-658r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dnjc-zctj-ykeb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74198?format=json","vulnerability_id":"VCID-e4u7-qs71-byha","summary":"Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name from a low-privilege user. Version 2.3.10 fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21449","reference_id":"","reference_type":"","scores":[{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09033","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21449"},{"reference_url":"https://github.com/bagisto/bagisto","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bagisto/bagisto"},{"reference_url":"https://github.com/bagisto/bagisto/commit/4144931da0014c696f9126132ce44d7cfbdb2761","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bagisto/bagisto/commit/4144931da0014c696f9126132ce44d7cfbdb2761"},{"reference_url":"https://github.com/bagisto/bagisto/releases/tag/v2.3.10","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bagisto/bagisto/releases/tag/v2.3.10"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21449","reference_id":"CVE-2026-21449","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21449"},{"reference_url":"https://github.com/advisories/GHSA-mqhg-v22x-pqj8","reference_id":"GHSA-mqhg-v22x-pqj8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mqhg-v22x-pqj8"},{"reference_url":"https://github.com/bagisto/bagisto/security/advisories/GHSA-mqhg-v22x-pqj8","reference_id":"GHSA-mqhg-v22x-pqj8","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-02T21:27:20Z/"}],"url":"https://github.com/bagisto/bagisto/security/advisories/GHSA-mqhg-v22x-pqj8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36478?format=json","purl":"pkg:composer/bagisto/bagisto@2.3.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dnjc-zctj-ykeb"},{"vulnerability":"VCID-qy4n-aj4s-wbfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bagisto/bagisto@2.3.10"}],"aliases":["CVE-2026-21449","GHSA-mqhg-v22x-pqj8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e4u7-qs71-byha"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74456?format=json","vulnerability_id":"VCID-g4nr-us8e-wyf5","summary":"Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21446","reference_id":"","reference_type":"","scores":[{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34495","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21446"},{"reference_url":"https://github.com/bagisto/bagisto","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bagisto/bagisto"},{"reference_url":"https://github.com/bagisto/bagisto/commit/380c045e48490da740cd505fb192cc45e1809bed","reference_id":"380c045e48490da740cd505fb192cc45e1809bed","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-01-05T15:54:26Z/"}],"url":"https://github.com/bagisto/bagisto/commit/380c045e48490da740cd505fb192cc45e1809bed"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21446","reference_id":"CVE-2026-21446","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21446"},{"reference_url":"https://github.com/advisories/GHSA-6h7w-v2xr-mqvw","reference_id":"GHSA-6h7w-v2xr-mqvw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6h7w-v2xr-mqvw"},{"reference_url":"https://github.com/bagisto/bagisto/security/advisories/GHSA-6h7w-v2xr-mqvw","reference_id":"GHSA-6h7w-v2xr-mqvw","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-01-05T15:54:26Z/"}],"url":"https://github.com/bagisto/bagisto/security/advisories/GHSA-6h7w-v2xr-mqvw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36478?format=json","purl":"pkg:composer/bagisto/bagisto@2.3.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dnjc-zctj-ykeb"},{"vulnerability":"VCID-qy4n-aj4s-wbfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bagisto/bagisto@2.3.10"}],"aliases":["CVE-2026-21446","GHSA-6h7w-v2xr-mqvw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g4nr-us8e-wyf5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/103042?format=json","vulnerability_id":"VCID-gwdu-8bfa-tbas","summary":"Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. This vulnerability is fixed in 2.3.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62415","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11194","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62415"},{"reference_url":"https://github.com/bagisto/bagisto","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bagisto/bagisto"},{"reference_url":"https://github.com/bagisto/bagisto/commit/7b6b1dd639a14e7053bb82ef2f971c1f533fdfab","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bagisto/bagisto/commit/7b6b1dd639a14e7053bb82ef2f971c1f533fdfab"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62415","reference_id":"CVE-2025-62415","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62415"},{"reference_url":"https://github.com/advisories/GHSA-67px-r26w-598x","reference_id":"GHSA-67px-r26w-598x","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-67px-r26w-598x"},{"reference_url":"https://github.com/bagisto/bagisto/security/advisories/GHSA-67px-r26w-598x","reference_id":"GHSA-67px-r26w-598x","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-17T14:30:48Z/"}],"url":"https://github.com/bagisto/bagisto/security/advisories/GHSA-67px-r26w-598x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34535?format=json","purl":"pkg:composer/bagisto/bagisto@2.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3832-hae8-gbgz"},{"vulnerability":"VCID-8w62-gx4s-rbev"},{"vulnerability":"VCID-d39t-m729-kuch"},{"vulnerability":"VCID-dnjc-zctj-ykeb"},{"vulnerability":"VCID-e4u7-qs71-byha"},{"vulnerability":"VCID-g4nr-us8e-wyf5"},{"vulnerability":"VCID-h6aw-uj8r-87fu"},{"vulnerability":"VCID-qy4n-aj4s-wbfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bagisto/bagisto@2.3.8"}],"aliases":["CVE-2025-62415","GHSA-67px-r26w-598x"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gwdu-8bfa-tbas"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74319?format=json","vulnerability_id":"VCID-h6aw-uj8r-87fu","summary":"Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize `<script>` tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be stored in the CMS content and executed whenever the page is viewed or edited. This exposes administrators to a high-severity risk, including complete account takeover, backend hijacking, and malicious script execution. Version 2.3.10 fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21451","reference_id":"","reference_type":"","scores":[{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06882","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21451"},{"reference_url":"https://github.com/bagisto/bagisto","reference_id":"","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bagisto/bagisto"},{"reference_url":"https://github.com/bagisto/bagisto/commit/f533b1cd9c80896792da60976179c95573d78b79","reference_id":"","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bagisto/bagisto/commit/f533b1cd9c80896792da60976179c95573d78b79"},{"reference_url":"https://github.com/bagisto/bagisto/releases/tag/v2.3.10","reference_id":"","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bagisto/bagisto/releases/tag/v2.3.10"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21451","reference_id":"CVE-2026-21451","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21451"},{"reference_url":"https://github.com/advisories/GHSA-2mwc-h2mg-v6p8","reference_id":"GHSA-2mwc-h2mg-v6p8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2mwc-h2mg-v6p8"},{"reference_url":"https://github.com/bagisto/bagisto/security/advisories/GHSA-2mwc-h2mg-v6p8","reference_id":"GHSA-2mwc-h2mg-v6p8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-02T21:25:42Z/"}],"url":"https://github.com/bagisto/bagisto/security/advisories/GHSA-2mwc-h2mg-v6p8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36478?format=json","purl":"pkg:composer/bagisto/bagisto@2.3.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dnjc-zctj-ykeb"},{"vulnerability":"VCID-qy4n-aj4s-wbfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bagisto/bagisto@2.3.10"}],"aliases":["CVE-2026-21451","GHSA-2mwc-h2mg-v6p8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h6aw-uj8r-87fu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/103033?format=json","vulnerability_id":"VCID-mdhr-cmp6-1qe5","summary":"Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend — potentially leading to Remote Code Execution (RCE) on the server. This vulnerability is fixed in 2.3.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62416","reference_id":"","reference_type":"","scores":[{"value":"0.00258","scoring_system":"epss","scoring_elements":"0.49531","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62416"},{"reference_url":"https://github.com/bagisto/bagisto","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bagisto/bagisto"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62416","reference_id":"CVE-2025-62416","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62416"},{"reference_url":"https://github.com/advisories/GHSA-527q-4wqv-g9wj","reference_id":"GHSA-527q-4wqv-g9wj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-527q-4wqv-g9wj"},{"reference_url":"https://github.com/bagisto/bagisto/security/advisories/GHSA-527q-4wqv-g9wj","reference_id":"GHSA-527q-4wqv-g9wj","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-17T14:32:17Z/"}],"url":"https://github.com/bagisto/bagisto/security/advisories/GHSA-527q-4wqv-g9wj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34535?format=json","purl":"pkg:composer/bagisto/bagisto@2.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3832-hae8-gbgz"},{"vulnerability":"VCID-8w62-gx4s-rbev"},{"vulnerability":"VCID-d39t-m729-kuch"},{"vulnerability":"VCID-dnjc-zctj-ykeb"},{"vulnerability":"VCID-e4u7-qs71-byha"},{"vulnerability":"VCID-g4nr-us8e-wyf5"},{"vulnerability":"VCID-h6aw-uj8r-87fu"},{"vulnerability":"VCID-qy4n-aj4s-wbfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bagisto/bagisto@2.3.8"}],"aliases":["CVE-2025-62416","GHSA-527q-4wqv-g9wj"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mdhr-cmp6-1qe5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/75445?format=json","vulnerability_id":"VCID-qy4n-aj4s-wbfq","summary":"A vulnerability was found in Bagisto up to 2.3.15. Affected is the function copy of the component Downloadable Link Handler. The manipulation results in server-side request forgery. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure and explains: \"We already replied on the github advisories. All the security issues are addressed through security advisory. We will fix this in our upcomming releases.\"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-6744","reference_id":"","reference_type":"","scores":[{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13722","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-6744"},{"reference_url":"https://github.com/bagisto/bagisto","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bagisto/bagisto"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6744","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6744"},{"reference_url":"https://vuldb.com/vuln/358435","reference_id":"358435","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C"},{"value":"6.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T13:27:24Z/"}],"url":"https://vuldb.com/vuln/358435"},{"reference_url":"https://vuldb.com/submit/794680","reference_id":"794680","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C"},{"value":"6.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T13:27:24Z/"}],"url":"https://vuldb.com/submit/794680"},{"reference_url":"https://vuldb.com/vuln/358435/cti","reference_id":"cti","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C"},{"value":"6.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T13:27:24Z/"}],"url":"https://vuldb.com/vuln/358435/cti"},{"reference_url":"https://github.com/advisories/GHSA-x3f9-vcp2-hgcw","reference_id":"GHSA-x3f9-vcp2-hgcw","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x3f9-vcp2-hgcw"},{"reference_url":"https://drive.google.com/file/d/1pVSN3BYjI_rUE2Jms5EcIBGSMdrq6Wql/view?usp=sharing","reference_id":"view?usp=sharing","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C"},{"value":"6.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T13:27:24Z/"}],"url":"https://drive.google.com/file/d/1pVSN3BYjI_rUE2Jms5EcIBGSMdrq6Wql/view?usp=sharing"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1023460?format=json","purl":"pkg:composer/bagisto/bagisto@2.3.16","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bagisto/bagisto@2.3.16"}],"aliases":["CVE-2026-6744","GHSA-x3f9-vcp2-hgcw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qy4n-aj4s-wbfq"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bagisto/bagisto@2.3.0"}