{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6745", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-21T12:04:02.182Z", "datePublished": "2026-04-21T18:30:17.803Z", "dateUpdated": "2026-04-21T18:45:13.321Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-21T18:30:17.803Z"}, "title": "Bagisto Custom Scripts cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "n/a", "product": "Bagisto", "versions": [{"version": "2.3.0", "status": "affected"}, {"version": "2.3.1", "status": "affected"}, {"version": "2.3.2", "status": "affected"}, {"version": "2.3.3", "status": "affected"}, {"version": "2.3.4", "status": "affected"}, {"version": "2.3.5", "status": "affected"}, {"version": "2.3.6", "status": "affected"}, {"version": "2.3.7", "status": "affected"}, {"version": "2.3.8", "status": "affected"}, {"version": "2.3.9", "status": "affected"}, {"version": "2.3.10", "status": "affected"}, {"version": "2.3.11", "status": "affected"}, {"version": "2.3.12", "status": "affected"}, {"version": "2.3.13", "status": "affected"}, {"version": "2.3.14", "status": "affected"}, {"version": "2.3.15", "status": "affected"}], "modules": ["Custom Scripts Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Bagisto up to 2.3.15. Affected by this vulnerability is an unknown functionality of the component Custom Scripts Handler. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure and explains: \"We already replied on the github advisories. All the security issues are addressed through security advisory. We will fix this in our upcomming releases.\""}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:C"}}], "timeline": [{"time": "2026-04-21T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-21T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-21T14:09:12.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "hai271120 (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/358436", "name": "VDB-358436 | Bagisto Custom Scripts cross site scripting", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/358436/cti", "name": "VDB-358436 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/794681", "name": "Submit #794681 | bagisto v2.3.15 Cross Site Scripting", "tags": ["third-party-advisory"]}, {"url": "https://drive.google.com/drive/folders/10p6SYcSVyfaaTg_dgItzMJvqixcmKnHR?usp=sharing", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T18:45:00.650678Z", "id": "CVE-2026-6745", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T18:45:13.321Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6745", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T18:45:00.650678Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T18:45:05.599Z"}}], "cna": {"title": "Bagisto Custom Scripts cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "hai271120 (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:C"}}], "affected": [{"vendor": "n/a", "modules": ["Custom Scripts Handler"], "product": "Bagisto", "versions": [{"status": "affected", "version": "2.3.0"}, {"status": "affected", "version": "2.3.1"}, {"status": "affected", "version": "2.3.2"}, {"status": "affected", "version": "2.3.3"}, {"status": "affected", "version": "2.3.4"}, {"status": "affected", "version": "2.3.5"}, {"status": "affected", "version": "2.3.6"}, {"status": "affected", "version": "2.3.7"}, {"status": "affected", "version": "2.3.8"}, {"status": "affected", "version": "2.3.9"}, {"status": "affected", "version": "2.3.10"}, {"status": "affected", "version": "2.3.11"}, {"status": "affected", "version": "2.3.12"}, {"status": "affected", "version": "2.3.13"}, {"status": "affected", "version": "2.3.14"}, {"status": "affected", "version": "2.3.15"}]}], "timeline": [{"lang": "en", "time": "2026-04-21T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-21T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-21T14:09:12.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/358436", "name": "VDB-358436 | Bagisto Custom Scripts cross site scripting", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/358436/cti", "name": "VDB-358436 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/794681", "name": "Submit #794681 | bagisto v2.3.15 Cross Site Scripting", "tags": ["third-party-advisory"]}, {"url": "https://drive.google.com/drive/folders/10p6SYcSVyfaaTg_dgItzMJvqixcmKnHR?usp=sharing", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Bagisto up to 2.3.15. Affected by this vulnerability is an unknown functionality of the component Custom Scripts Handler. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure and explains: \"We already replied on the github advisories. All the security issues are addressed through security advisory. We will fix this in our upcomming releases.\""}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-21T18:30:17.803Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6745", "state": "PUBLISHED", "dateUpdated": "2026-04-21T18:45:13.321Z", "dateReserved": "2026-04-21T12:04:02.182Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-21T18:30:17.803Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Bagisto up to 2.3.15. Affected by this vulnerability is an unknown functionality of the component Custom Scripts Handler. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure and explains: \"We already replied on the github advisories. All the security issues are addressed through security advisory. We will fix this in our upcomming releases.\""}], "id": "CVE-2026-6745", "lastModified": "2026-04-21T19:16:18.917", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-21T19:16:18.917", "references": [{"source": "cna@vuldb.com", "url": "https://drive.google.com/drive/folders/10p6SYcSVyfaaTg_dgItzMJvqixcmKnHR?usp=sharing"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/794681"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358436"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358436/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.3.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.3.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.3.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.3.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.3.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.3.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.3.6"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.3.7"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.3.8"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.3.9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.3.10"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.3.11"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.3.12"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.3.13"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.3.14"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.3.15"}}], "enrichment": {"confidence": 85.0, "confidence_source": "inferred", "scores": [{"score": 85.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Bagisto", "source": "cna", "vendor": "n/a"}, "product": "bagisto", "vendor": "bagisto"}], "analysis": {"en": {"generated_at": "2026-04-22T06:45:39.713465+00:00", "value": {"mitigation_remediation": ["Wait for and apply the vendor\u2019s upcoming patch that addresses the Custom Scripts Handler vulnerability.", "Until a fix is available, disable or remove the Custom Scripts feature to prevent user\u2011supplied scripts from being processed.", "Deploy a web application firewall rule to deny suspicious input patterns targeting the Custom Scripts endpoint and monitor logs for attempts to inject scripts."], "summary": {"action": "Patch Now", "impact": "Cross\u2011Site Scripting (remote)"}, "threat_synthesis": {"affected_systems": "All installations of Bagisto version 2.3.15 or earlier are affected. The advisory does not enumerate later releases, so any deployment that still includes the vulnerable Custom Scripts Handler before the vendor releases a fix remains at risk.", "description_and_impact": "Bagisto\u2019s Custom Scripts Handler contains an XSS flaw that allows attackers to inject arbitrary user\u2011supplied script into pages rendered by the application. The flaw is classified as CWE\u201179 and also involves a code injection path (CWE\u201194). The vulnerability can be exploited remotely, as announced, giving the attacker the ability to run code in a victim\u2019s browser when the vulnerable content is displayed. No explicit mention of authentication requirements is made in the description.", "risk_and_exploitability": "The CVSS score of 5.1 represents moderate severity. EPSS is unavailable, and the issue is not listed in CISA KEV, indicating no current widespread exploitation. The likely attack vector is a web\u2011based request to the Custom Scripts endpoint; this inference is made because the description states remote exploitation is possible, but the exact vector is not specified. Attackers could surface the injected script if a user views the affected page."}}}}, "created": "2026-04-22T04:15:07.396624+00:00", "updated": "2026-04-22T07:00:12.118613+00:00", "vendors": ["bagisto", "bagisto$PRODUCT$bagisto"]}