Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend — potentially leading to Remote Code Execution (RCE) on the server. This vulnerability is fixed in 2.3.8.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| bagisto/bagisto(Packagist) | 0 | 2.3.8 | N/A |
CVSS Metrics
