CVE-2026-60120 in Bagistoinfo

Summary

by MITRE • 07/10/2026

Bagisto before 2.4.4 contains a stored cross-site scripting vulnerability via client-side template injection that allows unauthenticated attackers to execute arbitrary JavaScript in administrator browsers by registering a customer account with malicious payload in the first or last name field. The create.blade.php template renders customer name fields without the Vue.js v-pre directive, causing Vue.js to evaluate stored template expressions as live JavaScript when an administrator opens the Create Order page for the affected customer.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

This vulnerability exists within the Bagisto e-commerce platform version 2.4.3 and earlier, representing a critical stored cross-site scripting flaw that can be exploited by unauthenticated attackers. The vulnerability stems from improper input sanitization and template rendering practices within the client-side application logic. Attackers can register a customer account using malicious payloads in either the first or last name fields, which are then stored in the database and subsequently rendered without proper sanitization.

The technical implementation of this vulnerability occurs through the create.blade.php template file that fails to utilize the Vue.js v-pre directive when rendering customer name fields. This directive is specifically designed to prevent Vue.js from interpreting expressions within the template content, thereby protecting against client-side template injection attacks. Without this protective measure, Vue.js processes stored template expressions as live JavaScript code when administrators access the Create Order page for affected customers.

The operational impact of this vulnerability is severe as it enables attackers to execute arbitrary JavaScript code within the context of administrator sessions. This provides attackers with elevated privileges and potential access to sensitive administrative functions, customer data, order information, and system configuration details. The attack requires no authentication from the attacker's perspective since they only need to register a customer account with malicious input.

This vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws, and represents a variant of client-side template injection that has been categorized under ATT&CK technique T1566.001 for initial access through malicious content. The exploitation chain demonstrates how insecure data handling in user input fields can lead to privilege escalation and persistent access within the application environment.

Mitigation strategies should include implementing proper input sanitization and output encoding for all user-provided data before storage and rendering. The most effective immediate fix involves adding the Vue.js v-pre directive to all template expressions that render user-supplied content, preventing Vue.js from evaluating stored expressions as JavaScript. Additionally, comprehensive input validation should be implemented at both client and server levels to detect and reject malicious payloads. Regular security audits of template rendering logic and input handling mechanisms are essential for preventing similar vulnerabilities in the future.

Responsible

VulnCheck

Reservation

07/08/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!