CVE-2026-21450: Bagisto SSTI vulnerability in type parameter can lead to RCE

January 2, 2026

SSTI is possible in Bagisto via type parameter can lead to RCE and other exploitations.

References

github.com/advisories/GHSA-9hvg-qw5q-wqwp
github.com/bagisto/bagisto
github.com/bagisto/bagisto/commit/3f294b4837595929107d9c1bbd6d5b1222ef9fea
github.com/bagisto/bagisto/releases/tag/v2.3.10
github.com/bagisto/bagisto/security/advisories/GHSA-9hvg-qw5q-wqwp
nvd.nist.gov/vuln/detail/CVE-2026-21450

Code Behaviors & Features

Detect and mitigate CVE-2026-21450 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →