bagisto – Server Side Template Injection (SSTI) in Product Description

5.1 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L

Description

Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend — potentially leading to Remote Code Execution (RCE) on the server. This vulnerability is fixed in 2.3.8.

Basic Information

ID CVE-2025-62416

Source GitHub_M

Published Oct 16, 2025 at 18:32

Affected Product

Vendor bagisto

Product bagisto

Version < 2.3.8

Affected Versions bagisto bagisto < 2.3.8

CWE Classification

CWE-94 CWE-1336

References

github.com /bagisto/bagisto/security/advisories/GHSA-527q-4wqv-g9wj

{
    "lastseen": "",
    "description": "Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend \u2014 potentially leading to Remote Code Execution (RCE) on the server. This vulnerability is fixed in 2.3.8.",
    "published": "2025-10-16T18:32:55.776Z",
    "modified": "2025-10-16T18:32:55.776Z",
    "type": "cve",
    "title": "bagisto - Server Side Template Injection (SSTI) in Product Description",
    "source": "GitHub_M",
    "references": "https://github.com/bagisto/bagisto/security/advisories/GHSA-527q-4wqv-g9wj",
    "id": "CVE-2025-62416",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94",
        "CWE-1336"
    ],
    "cvelist": null,
    "sourceData": "bagisto bagisto < 2.3.8",
    "sourceHref": "",
    "cvss": {
        "score": 5.1,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "bagisto",
    "version": "< 2.3.8",
    "vendor": "bagisto",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

bagisto – Server Side Template Injection (SSTI) in Product Description_CVE-2025-62416