Platform
php
Component
bagisto/bagisto
Fixed in
2.3.1
2.3.11
2.3.10
CVE-2026-21446 represents a critical Remote Code Execution (RCE) vulnerability discovered in the Bagisto e-commerce platform. This flaw allows an attacker to execute arbitrary code on a vulnerable system, potentially leading to complete compromise. The vulnerability affects versions of Bagisto up to and including v2.3.9, and a fix is available in version 2.3.10. Prompt patching is strongly recommended.
The impact of CVE-2026-21446 is severe. Successful exploitation allows an attacker to execute arbitrary code with the privileges of the web server process. This could enable attackers to gain complete control over the affected Bagisto instance, including access to sensitive customer data, modification of product catalogs, and even complete system takeover. The attacker could potentially use this foothold to pivot to other systems on the network, leading to broader data breaches and disruption. While no specific real-world exploitation has been publicly reported, the ease of exploitation and the potential impact make this a high-priority vulnerability.
CVE-2026-21446 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability’s ease of exploitation. The EPSS score is expected to be high due to the RCE nature and the potential for widespread impact. The vulnerability was publicly disclosed on January 2, 2026.
Exploit Status
EPSS
0.14% (33% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-21446 is to immediately upgrade Bagisto to version 2.3.10 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the /install/api/env-file-setup endpoint using a web application firewall (WAF) or proxy server, blocking requests from untrusted sources. Carefully review and restrict file permissions on the Bagisto installation directory to minimize the potential impact of code execution. Monitor web server logs for suspicious activity, particularly requests targeting the vulnerable endpoint. After upgrading, confirm the fix by attempting a request to the /install/api/env-file-setup endpoint; it should return an error indicating access is denied.
Actualice Bagisto a la versión 2.3.10 o superior. Esta versión corrige la vulnerabilidad de falta de autenticación en los endpoints de la API del instalador. La actualización impedirá que atacantes no autenticados creen cuentas de administrador o modifiquen la configuración de la aplicación.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-21446 is a critical Remote Code Execution vulnerability in Bagisto e-commerce platform versions up to v2.3.9, allowing attackers to execute arbitrary code.
You are affected if you are running Bagisto versions 2.3.9 or earlier. Upgrade to 2.3.10 or later to mitigate the risk.
Upgrade Bagisto to version 2.3.10 or later. As a temporary workaround, restrict access to the /install/api/env-file-setup endpoint.
While no active exploitation has been publicly confirmed, the ease of exploitation suggests it is likely to be targeted.
Refer to the official Bagisto security advisory for detailed information and updates: [https://bagisto.com/security/advisories](https://bagisto.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.