CVE-2026-21451
Published: 02 January 2026
Summary
CVE-2026-21451 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Webkul Bagisto. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces rigorous validation of CMS page editor inputs to prevent bypass of script tag sanitization via manipulated HTTP POST requests.
Filters and encodes CMS content output before rendering to block execution of any stored malicious JavaScript when pages are viewed or edited.
Mandates timely remediation of flaws like the sanitization bypass fixed in Bagisto version 2.3.10 to eliminate the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables direct arbitrary JavaScript execution (T1059.007) after bypassing sanitization in the CMS editor; the flaw is exploited against the public-facing Bagisto web application (T1190) to achieve admin account takeover.
NVD Description
Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize `<script>` tags, the filtering can be bypassed…
more
by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be stored in the CMS content and executed whenever the page is viewed or edited. This exposes administrators to a high-severity risk, including complete account takeover, backend hijacking, and malicious script execution. Version 2.3.10 fixes the issue.
Deeper analysisAI
CVE-2026-21451 is a stored Cross-Site Scripting (XSS) vulnerability (CWE-79) in Bagisto, an open-source Laravel eCommerce platform, affecting versions prior to 2.3.10. The flaw exists in the CMS page editor, where the platform's sanitization of `<script>` tags can be bypassed by manipulating the raw HTTP POST request before submission. This allows arbitrary JavaScript to be stored in CMS content, which executes whenever the page is viewed or edited.
Attackers require high privileges (PR:H) and user interaction (UI:R) to exploit the vulnerability, earning it a CVSS v3.1 base score of 8.4 (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H). A privileged user, such as a compromised low-level administrator, can inject malicious scripts that target higher-privileged administrators upon page access, enabling complete account takeover, backend hijacking, and execution of arbitrary malicious JavaScript.
The official Bagisto security advisory (GHSA-2mwc-h2mg-v6p8) at https://github.com/bagisto/bagisto/security/advisories/GHSA-2mwc-h2mg-v6p8 confirms the issue and states that upgrading to version 2.3.10 resolves the sanitization bypass.
Details
- CWE(s)