ghsa-2mwc-h2mg-v6p8
Vulnerability from github
Summary
A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto 2.3.8 within the CMS page editor. Although the platform normally attempts to sanitize <script> tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be stored in the CMS content and executed whenever the page is viewed or edited.
This exposes administrators to a high-severity risk, including complete account takeover, backend hijacking, and malicious script execution.
Details
Bagisto’s CMS editor includes an HTML sanitation mechanism intended to protect against script injection by wrapping raw script content in <div> elements. However, this mechanism is applied only to requests submitted through the UI. When the CMS update request is intercepted and modified at the HTTP level, the sanitation layer fails to strip or encode embedded <script> tags.
Because the back-end trusts the manipulated request, the malicious script is stored in the database exactly as submitted. When an administrator opens the CMS page (either in the editor or in the storefront), the JavaScript executes in the browser context with full admin privileges.
The vulnerability stems from insufficient server-side sanitization. Sanitization logic appears to rely on client-side or UI-layer controls, leaving the underlying HTTP endpoint unprotected.
PoC
- A Bagisto 2.3.8 installation with access to the admin panel
- Ability to intercept and modify outgoing CMS update requests (e.g., via a proxy tool)
- Editing any CMS page (such as /admin/cms/edit/{id})
By introducing unfiltered script content directly into the HTTP payload; bypassing the UI-level sanitization the CMS endpoint accepts and stores the malicious JS.
Steps to Reproduce
- Log in as admin
- Navigate to: /admin/cms/edit/1
- Intercept the request (e.g., using Burp Suite)
- Modify the en[html_content] field to include raw JavaScript:
A video PoC has been prepared showing:
- Normal CMS editing behavior
- How the sanitation process is expected to work
- How altering the raw request bypasses sanitization
- Execution of the stored script once the page is loaded This helps illustrate both expected behavior and actual vulnerability behavior clearly.
Video PoC: https://drive.google.com/file/d/1quGkBq1zwRhVrlJtVeDk9iQeUzqIyOM-/view
Impact
- Administrator account takeover
- Session hijacking
- Unauthorized actions performed in admin context
- Defacement or injection of malicious content into public pages
- Potential expansion into full application compromise
Recommendations
Implement server-side sanitization (e.g., HTMLPurifier or Laravel Purifier) to strip or encode tags regardless of how the request is manipulated.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "bagisto/bagisto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-21451"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-02T21:16:23Z",
"nvd_published_at": "2026-01-02T21:16:02Z",
"severity": "MODERATE"
},
"details": "### Summary\nA stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto 2.3.8 within the CMS page editor. Although the platform normally attempts to sanitize `\u003cscript\u003e` tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be stored in the CMS content and executed whenever the page is viewed or edited.\nThis exposes administrators to a high-severity risk, including complete account takeover, backend hijacking, and malicious script execution.\n\n### Details\nBagisto\u2019s CMS editor includes an HTML sanitation mechanism intended to protect against script injection by wrapping raw script content in `\u003cdiv\u003e` elements. However, this mechanism is applied only to requests submitted through the UI. When the CMS update request is intercepted and modified at the HTTP level, the sanitation layer fails to strip or encode embedded `\u003cscript\u003e` tags.\n\nBecause the back-end trusts the manipulated request, the malicious script is stored in the database exactly as submitted. When an administrator opens the CMS page (either in the editor or in the storefront), the JavaScript executes in the browser context with full admin privileges.\n\nThe vulnerability stems from insufficient server-side sanitization.\nSanitization logic appears to rely on client-side or UI-layer controls, leaving the underlying HTTP endpoint unprotected.\n\n### PoC\n* A Bagisto 2.3.8 installation with access to the admin panel\n* Ability to intercept and modify outgoing CMS update requests (e.g., via a proxy tool)\n* Editing any CMS page (such as /admin/cms/edit/{id})\n\nBy introducing unfiltered script content directly into the HTTP payload; bypassing the UI-level sanitization the CMS endpoint accepts and stores the malicious JS.\n\n### Steps to Reproduce\n\n1. Log in as admin\n2. Navigate to: /admin/cms/edit/1\n3. Intercept the request (e.g., using Burp Suite)\n4. Modify the en[html_content] field to include raw JavaScript:\n\n\u003cimg width=\"1166\" height=\"580\" alt=\"unnamed\" src=\"https://github.com/user-attachments/assets/2163def6-02a4-46d3-b0bf-a66dcce00f55\" /\u003e\n\n\u003cimg width=\"1167\" height=\"573\" alt=\"unnamed\" src=\"https://github.com/user-attachments/assets/ffe540aa-f7f9-4dc9-b934-6d2798cafa0a\" /\u003e\n\n\n\n\u003e A video PoC has been prepared showing:\n\n* Normal CMS editing behavior\n* How the sanitation process is expected to work\n* How altering the raw request bypasses sanitization\n* Execution of the stored script once the page is loaded\nThis helps illustrate both expected behavior and actual vulnerability behavior clearly.\n\nVideo PoC: https://drive.google.com/file/d/1quGkBq1zwRhVrlJtVeDk9iQeUzqIyOM-/view\n\n### Impact\n* Administrator account takeover\n* Session hijacking\n* Unauthorized actions performed in admin context\n* Defacement or injection of malicious content into public pages\n* Potential expansion into full application compromise\n\n### Recommendations\n\nImplement server-side sanitization (e.g., HTMLPurifier or Laravel Purifier) to strip or encode \u003cscript\u003e tags regardless of how the request is manipulated.",
"id": "GHSA-2mwc-h2mg-v6p8",
"modified": "2026-01-03T00:32:58Z",
"published": "2026-01-02T21:16:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-2mwc-h2mg-v6p8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21451"
},
{
"type": "WEB",
"url": "https://github.com/bagisto/bagisto/commit/f533b1cd9c80896792da60976179c95573d78b79"
},
{
"type": "PACKAGE",
"url": "https://github.com/bagisto/bagisto"
},
{
"type": "WEB",
"url": "https://github.com/bagisto/bagisto/releases/tag/v2.3.10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Bagisto has HTML Filter Bypass that Enables Stored XSS"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.