← back
CVE-2025-62416

bagisto - Server Side Template Injection (SSTI) in Product Description

CVSS 5.1 MEDIUMEPSS 0.4%CWE-1336CWE-94
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.1EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
16 Oct 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend — potentially leading to Remote Code Execution (RCE) on the server. This vulnerability is fixed in 2.3.8.
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L
Affected products
bagisto · bagisto

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/bagisto/bagisto/security/advisories/GHSA-527q-4wqv-g9wj