CVE-2026-6745: Bagisto affected by Cross-site Scripting

April 21, 2026 (updated May 6, 2026)

A vulnerability was determined in Bagisto up to 2.3.15. Affected by this vulnerability is an unknown functionality of the component Custom Scripts Handler. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure and explained: “We already replied on the github advisories. All the security issues are addressed through security advisory. We will fix this in our upcomming releases.”

References

drive.google.com/drive/folders/10p6SYcSVyfaaTg_dgItzMJvqixcmKnHR?usp=sharing
github.com/advisories/GHSA-65fp-7g2v-658r
nvd.nist.gov/vuln/detail/CVE-2026-6745
vuldb.com/submit/794681
vuldb.com/vuln/358436
vuldb.com/vuln/358436/cti

Code Behaviors & Features

Detect and mitigate CVE-2026-6745 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →