← back
CVE-2025-62415

bagisto - Cross Site Scripting (XSS) in TinyMCE Image Upload (HTML)

CVSS 6.9 MEDIUMEPSS 0.3%CWE-80CWE-87
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.9EPSS 0.3%KEV nãoPoC Patch
Lifecycle
Oct 16, 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. This vulnerability is fixed in 2.3.8.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
Affected products
bagisto · bagisto

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/bagisto/bagisto/security/advisories/GHSA-67px-r26w-598x