CVE-2026-21447

Bagisto has IDOR in Customer Order Reorder Functionality

CVSS 7.1 HIGHEPSS 0.3%CWE-284 CWE-639

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.1EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

02 Jan 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Affected products

bagisto · bagisto

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/bagisto/bagisto/commit/b2b1cf62577245d03a68532478cffbe321df74d3 https://github.com/bagisto/bagisto/security/advisories/GHSA-x5rw-qvvp-5cgm