Description

Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue.

INFO

Published Date :

2026-01-02T19:18:36.095Z

Last Modified :

2026-01-05T15:54:55.916Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-21446 vulnerability.

Vendors Products
Webkul
  • Bagisto
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-21446.

URL Resource
https://github.com/bagisto/bagisto/commit/380c045e48490da740cd505fb192cc45e1809bed cve-icon cve-icon
https://github.com/bagisto/bagisto/security/advisories/GHSA-6h7w-v2xr-mqvw cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact