Plateforme
php
Composant
bagisto/bagisto
Corrigé dans
2.3.1
2.3.11
2.3.10
CVE-2026-21446 represents a critical Remote Code Execution (RCE) vulnerability discovered in the Bagisto e-commerce platform. This flaw allows an attacker to execute arbitrary code on a vulnerable system, potentially leading to complete compromise. The vulnerability affects versions of Bagisto up to and including v2.3.9, and a fix is available in version 2.3.10. Prompt patching is strongly recommended.
The impact of CVE-2026-21446 is severe. Successful exploitation allows an attacker to execute arbitrary code with the privileges of the web server process. This could enable attackers to gain complete control over the affected Bagisto instance, including access to sensitive customer data, modification of product catalogs, and even complete system takeover. The attacker could potentially use this foothold to pivot to other systems on the network, leading to broader data breaches and disruption. While no specific real-world exploitation has been publicly reported, the ease of exploitation and the potential impact make this a high-priority vulnerability.
CVE-2026-21446 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability’s ease of exploitation. The EPSS score is expected to be high due to the RCE nature and the potential for widespread impact. The vulnerability was publicly disclosed on January 2, 2026.
Organizations running Bagisto e-commerce platforms, particularly those using older versions (≤v2.3.9), are at significant risk. Shared hosting environments where multiple Bagisto instances are hosted on the same server are especially vulnerable, as a compromise of one instance could potentially impact others. Custom Bagisto installations or those with modified installer routes are also at increased risk.
• php: Examine web server access logs for requests to /install/api/env-file-setup from unusual IP addresses or user agents.
grep "/install/api/env-file-setup" /var/log/apache2/access.log | grep -v "127.0.0.1" • php: Check for modifications to the packages/Ibkul/Installer/src/Routes/Ib.php file. Unexpected changes could indicate an attempted exploit.
• generic web: Monitor for unusual processes running under the web server user account. Unexpected PHP scripts executing could indicate a successful exploit.
• generic web: Review the Bagisto installation directory permissions. Ensure that the web server user has only the necessary permissions to read and write files.
disclosure
patch
Statut de l'Exploit
EPSS
0.14% (percentile 33%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-21446 is to immediately upgrade Bagisto to version 2.3.10 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the /install/api/env-file-setup endpoint using a web application firewall (WAF) or proxy server, blocking requests from untrusted sources. Carefully review and restrict file permissions on the Bagisto installation directory to minimize the potential impact of code execution. Monitor web server logs for suspicious activity, particularly requests targeting the vulnerable endpoint. After upgrading, confirm the fix by attempting a request to the /install/api/env-file-setup endpoint; it should return an error indicating access is denied.
Mettez à jour Bagisto à la version 2.3.10 ou supérieure. Cette version corrige la vulnérabilité de manque d'authentification sur les points de terminaison de l'API d'installation. La mise à jour empêchera les attaquants non authentifiés de créer des comptes d'administrateur ou de modifier la configuration de l'application.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-21446 is a critical Remote Code Execution vulnerability in Bagisto e-commerce platform versions up to v2.3.9, allowing attackers to execute arbitrary code.
You are affected if you are running Bagisto versions 2.3.9 or earlier. Upgrade to 2.3.10 or later to mitigate the risk.
Upgrade Bagisto to version 2.3.10 or later. As a temporary workaround, restrict access to the /install/api/env-file-setup endpoint.
While no active exploitation has been publicly confirmed, the ease of exploitation suggests it is likely to be targeted.
Refer to the official Bagisto security advisory for detailed information and updates: [https://bagisto.com/security/advisories](https://bagisto.com/security/advisories)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.