—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Path Traversal Vulnerability in Bagisto

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Systems Affected

Bagisto version v2.4.1

Overview

A vulnerability has been reported in Bagisto, which could allow an unauthenticated remote attacker to read arbitrary sensitive files on the targeted system.

Target Audience:

Organizations/ System Administrators/ Application developers and maintainers using Bagisto

Risk Assessment:

High risk of unauthorized access to sensitive files stored on the targeted system.

 

Impact Assessment:

Potential disclosure of application configuration files, database credentials, API keys and other sensitive information on the targeted system.

Description

Bagisto is an open-source eCommerce platform developed using the Laravel PHP framework. It is used for developing and managing web-based online shopping applications and eCommerce websites.

This vulnerability exists in Bagisto due to improper validation of user-supplied input in the ImageCacheController component. An unauthenticated remote attacker could exploit this vulnerability by sending crafted path traversal sequences through the filename parameter to access arbitrary files outside the intended directory on the targeted system.

Successful exploitation of this vulnerability could allow an attacker to read arbitrary sensitive files on the targeted system.

Credit

This vulnerability is reported by Stalin S.

Solution

Upgrade Bagisto to the patched version v2.4.2 or later.

https://github.com/bagisto/bagisto/tree/v2.4.2

Vendor Information

Webkul

https://github.com/bagisto/bagisto/tree/v2.4.2

References

Webkul

https://github.com/bagisto/bagisto/tree/v2.4.2

CVE Name

CVE-2026-9506

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmooIRAACgkQ3jCgcSdc

ys9TLQ//cqOSZgPSqkI4mr7LfmJv5sVd/8HO8C63PrvgPk/HBH8ilX7r5dJCb7i1

rKipLiZzJrslVYs7Yy5dLCyCUnCG5bepy55HRVPPfTpJoxKct74QlTXa6Kg8OQza

NuJS/KgV7Mc2lL0mpGAq6dRIKxYyl3cXHex9ra1JNo03F4kKnMkusDfaAg1iUfsb

HtU5NQRjS0n2zP2QHaRjgwCWwmOo5oZR9zZwY+LlqNNz0HG9+AGh2kJXAOpdaqMu

ajhd0vwjlYzJYWI6PoksZSiN3Sb+OwX5P9No/A5GwMhaoUUPIc0B9mhRYBhgXKZC

aifUNfX2ltHJKSuUz1F2KIT5mJHFVzDFwUye3gaxMonLsxtB4gdcfvvk8jSBvvCH

Qq7wTtrGi0Dwbroxo+e029GGtAJpeifI+wlfb2otvBq6eyO3+e6xWIkhV79lOjNg

tbbedwl6q2hMBOy6vwBYYwIVW7UmgbtOszDVI6GInipO+pUOHOvONFgl6Ewff64L

d9BAMMM3kVwz/Fb9gkd2//wKerU+ziPL4/x2AYMHY/RvFRg27OgfZHfSvoxFYKcl

tePqbT67VNnhc57M8ZSssamXqjOFZGcWa+lrsL7pUyZS9f4+pLXFiuEUELO5JQ87

WShii/xZfRQ6AAow5JQKs0LUWC/UGajHUYz6pi5i7mUvoCec8O8=

=YZEb

—–END PGP SIGNATURE—–