CVE-2026-6744

Summary

A vulnerability was found in Bagisto up to 2.3.15. Affected is the function copy of the component Downloadable Link Handler. The manipulation results in server-side request forgery. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure and explains: "We already replied on the github advisories. All the security issues are addressed through security advisory. We will fix this in our upcomming releases."

Affected Software

VendorProductVersion RangeStatus
n/aBagisto2.3.0affected
n/aBagisto2.3.1affected
n/aBagisto2.3.2affected
n/aBagisto2.3.3affected
n/aBagisto2.3.4affected
n/aBagisto2.3.5affected
n/aBagisto2.3.6affected
n/aBagisto2.3.7affected
n/aBagisto2.3.8affected
n/aBagisto2.3.9affected
n/aBagisto2.3.10affected
n/aBagisto2.3.11affected
n/aBagisto2.3.12affected
n/aBagisto2.3.13affected
n/aBagisto2.3.14affected
n/aBagisto2.3.15affected

Weaknesses

  • CWE-918: Server-Side Request Forgery

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References