What is CVE-2026-21449?

### Summary SSTI is possible via first name and last name parameters provided by lowest-privileged users. ### Details 1. Go to `http://127.0.0.1:8000/` and login or signup 2. Go to `http://127.0.0.1:8000/customer/account/profile` 3. Now edit the first name and last name to {{7*7}} 4. Notice it appears as 49 ### POC - Video attached with the report: https://github.com/user-attachments/assets/f93932b5-2a57-4f34-897e-4151a5168912 ### Impact This can lead to RCE, command injection.

What is the severity of CVE-2026-21449?

CVE-2026-21449 has a CVSS v3 score of 8.8, which is classified as High severity.

Is there an exploit available for CVE-2026-21449?

No known public exploits are currently available for CVE-2026-21449.

Is there a patch available for CVE-2026-21449?

Yes, patches are available for CVE-2026-21449. Check the vendor advisories for update instructions.

CVE-2026-21449 - CVE Details, Severity, and Analysis

CVE-2026-21449 - CVE Details, Severity, and Analysis | Strobes VI

Trend Analysis

Neutral

Vulnerable Products

Vendor	Product
Webkul	Bagisto

Advisories

GitHub Advisory

NVD: Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name from a low-privilege user. Version 2.3.10 fixes the issue.