What is the severity of CVE-2026-21451?

CVE-2026-21451 has a CVSS v3 score of 8.4, which is classified as High severity.

Is there an exploit available for CVE-2026-21451?

Yes, there are known exploits available for CVE-2026-21451. Immediate patching is recommended.

Is there a patch available for CVE-2026-21451?

Yes, patches are available for CVE-2026-21451. Check the vendor advisories for update instructions.

CVE-2026-21451 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v38.4

CVSS v20.0

Priority Score710.0

EPSS Score0.0

High

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

8.4

CVSS

Yes

Exploit

Yes

Patch

Medium Priority

exploit exists

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto 2.3.8 within the CMS page editor. Although the platform normally attempts to sanitize <script> tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be stored in the CMS content and executed whenever the page is viewed or edited. This exposes administrators to a high-severity risk, including complete account takeover, backend hijacking, and malicious script execution.

Details

Bagisto’s CMS editor includes an HTML sanitation mechanism intended to protect against script injection by wrapping raw script content in <div> elements. However, this mechanism is applied only to requests submitted through the UI. When the CMS update request is intercepted and modified at the HTTP level, the sanitation layer fails to strip or encode embedded <script> tags.

Because the back-end trusts the manipulated request, the malicious script is stored in the database exactly as submitted. When an administrator opens the CMS page (either in the editor or in the storefront), the JavaScript executes in the browser context with full admin privileges.

The vulnerability stems from insufficient server-side sanitization. Sanitization logic appears to rely on client-side or UI-layer controls, leaving the underlying HTTP endpoint unprotected.

PoC

A Bagisto 2.3.8 installation with access to the admin panel
Ability to intercept and modify outgoing CMS update requests (e.g., via a proxy tool)
Editing any CMS page (such as /admin/cms/edit/{id})

By introducing unfiltered script content directly into the HTTP payload; bypassing the UI-level sanitization the CMS endpoint accepts and stores the malicious JS.

Steps to Reproduce

Log in as admin
Navigate to: /admin/cms/edit/1
Intercept the request (e.g., using Burp Suite)
Modify the en[html_content] field to include raw JavaScript:

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:High

User Interaction:Required

Scope:Changed

Confidentiality:High

Integrity:High

Availability:High

Exploit References

GitHub

Patch References

Github.com Github.com Security [email protected]

CVE-2026-21451

Summary

Details

PoC

Steps to Reproduce

Impact

Recommendations