CVE 8.7 HIGH

Path Traversal Vulnerability in Bagisto_CVE-2026-9506

June 8, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

This vulnerability exists in Bagisto due to improper validation of user-supplied input in the ImageCacheController component. An unauthenticated remote attacker could exploit this vulnerability by sending crafted path traversal sequences through the filename parameter to access arbitrary files outside the intended directory on the targeted system.

Successful exploitation of this vulnerability could allow an attacker to read arbitrary sensitive files on the targeted system.

AI Analysis

Path Traversal Vulnerability in Bagisto due to improper validation of user-supplied input in the ImageCacheController component, allowing an attacker to read arbitrary sensitive files on the targeted system.

Basic Information

ID CVE-2026-9506

Source CERT-In

Published Jun 8, 2026 at 09:28

Affected Product

Vendor Webkul

Product Bagisto

Version version v2.4.1

Affected Versions Webkul Bagisto version v2.4.1

CWE Classification

CWE-22

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor Webkul

Product Bagisto

Version v2.4.1

References

www.cert-in.org.in /s2cMainServlet

{
    "lastseen": "",
    "description": "This vulnerability exists in Bagisto due to improper validation of user-supplied input in the ImageCacheController component. An unauthenticated remote attacker could exploit this vulnerability by sending crafted path traversal sequences through the filename parameter to access arbitrary files outside the intended directory on the targeted system.\n\n\n\nSuccessful exploitation of this vulnerability could allow an attacker to read arbitrary sensitive files on the targeted system.",
    "published": "2026-06-08T09:28:51.899Z",
    "modified": "2026-06-08T09:28:51.899Z",
    "type": "cve",
    "title": "Path Traversal Vulnerability in Bagisto",
    "source": "CERT-In",
    "references": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0292",
    "id": "CVE-2026-9506",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "Webkul Bagisto version v2.4.1",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Bagisto",
    "version": "version v2.4.1",
    "vendor": "Webkul",
    "ai_description": "Path Traversal Vulnerability in Bagisto due to improper validation of user-supplied input in the ImageCacheController component, allowing an attacker to read arbitrary sensitive files on the targeted system.",
    "ai_severity": "High",
    "ai_vendor": "Webkul",
    "ai_product": "Bagisto",
    "ai_version": "v2.4.1",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply