CVE-2025-62415: bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)

October 16, 2025

In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser.

References

github.com/advisories/GHSA-67px-r26w-598x
github.com/bagisto/bagisto
github.com/bagisto/bagisto/commit/7b6b1dd639a14e7053bb82ef2f971c1f533fdfab
github.com/bagisto/bagisto/security/advisories/GHSA-67px-r26w-598x
nvd.nist.gov/vuln/detail/CVE-2025-62415

Code Behaviors & Features

Detect and mitigate CVE-2025-62415 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →