CVE-2025-60880: Bagisto is vulnerable to XSS through Admin Panel's product creation path
(updated )
An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel’s product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.
References
- gist.github.com/daman-preet-singh/cd431f4c30a585bb87d3c69e4a8eec98
- github.com/Shenal01/CVE-2025-60880
- github.com/advisories/GHSA-29mf-w486-v3vc
- github.com/bagisto/bagisto
- github.com/bagisto/bagisto/commit/9ec40c99c34a83f311ffbb7c1039a59ff9d655cc
- github.com/darylldoyle/svg-sanitizer/releases
- nvd.nist.gov/vuln/detail/CVE-2025-60880
Code Behaviors & Features
Detect and mitigate CVE-2025-60880 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →