Scan free
CRITICALCVE-2026-21446CVSS 9.8

CVE-2026-21446: RCE in Bagisto E-commerce Platform

Platform

php

Component

bagisto/bagisto

Fixed in

2.3.1

2.3.11

2.3.10

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2026-21446 represents a critical Remote Code Execution (RCE) vulnerability discovered in the Bagisto e-commerce platform. This flaw allows an attacker to execute arbitrary code on a vulnerable system, potentially leading to complete compromise. The vulnerability affects versions of Bagisto up to and including v2.3.9, and a fix is available in version 2.3.10. Prompt patching is strongly recommended.

Impact and Attack Scenarios

The impact of CVE-2026-21446 is severe. Successful exploitation allows an attacker to execute arbitrary code with the privileges of the web server process. This could enable attackers to gain complete control over the affected Bagisto instance, including access to sensitive customer data, modification of product catalogs, and even complete system takeover. The attacker could potentially use this foothold to pivot to other systems on the network, leading to broader data breaches and disruption. While no specific real-world exploitation has been publicly reported, the ease of exploitation and the potential impact make this a high-priority vulnerability.

Exploitation Context

CVE-2026-21446 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability’s ease of exploitation. The EPSS score is expected to be high due to the RCE nature and the potential for widespread impact. The vulnerability was publicly disclosed on January 2, 2026.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.14% (33% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentbagisto/bagisto
Vendorosv
Affected rangeFixed in
>= 2.3.0, < 2.3.10 – >= 2.3.0, < 2.3.102.3.1
2.3.0 – 2.3.102.3.11
2.3.02.3.10

Package Information

Last updated
2.4.4recently

Weakness Classification (CWE)

CWE-306

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Patched 1 days after disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2026-21446 is to immediately upgrade Bagisto to version 2.3.10 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the /install/api/env-file-setup endpoint using a web application firewall (WAF) or proxy server, blocking requests from untrusted sources. Carefully review and restrict file permissions on the Bagisto installation directory to minimize the potential impact of code execution. Monitor web server logs for suspicious activity, particularly requests targeting the vulnerable endpoint. After upgrading, confirm the fix by attempting a request to the /install/api/env-file-setup endpoint; it should return an error indicating access is denied.

How to fix

Actualice Bagisto a la versión 2.3.10 o superior. Esta versión corrige la vulnerabilidad de falta de autenticación en los endpoints de la API del instalador. La actualización impedirá que atacantes no autenticados creen cuentas de administrador o modifiquen la configuración de la aplicación.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-21446 — RCE in Bagisto?

CVE-2026-21446 is a critical Remote Code Execution vulnerability in Bagisto e-commerce platform versions up to v2.3.9, allowing attackers to execute arbitrary code.

Am I affected by CVE-2026-21446 in Bagisto?

You are affected if you are running Bagisto versions 2.3.9 or earlier. Upgrade to 2.3.10 or later to mitigate the risk.

How do I fix CVE-2026-21446 in Bagisto?

Upgrade Bagisto to version 2.3.10 or later. As a temporary workaround, restrict access to the /install/api/env-file-setup endpoint.

Is CVE-2026-21446 being actively exploited?

While no active exploitation has been publicly confirmed, the ease of exploitation suggests it is likely to be targeted.

Where can I find the official Bagisto advisory for CVE-2026-21446?

Refer to the official Bagisto security advisory for detailed information and updates: [https://bagisto.com/security/advisories](https://bagisto.com/security/advisories)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs