プラットフォーム
php
コンポーネント
bagisto/bagisto
修正版
2.3.1
2.3.11
2.3.10
CVE-2026-21446 represents a critical Remote Code Execution (RCE) vulnerability discovered in the Bagisto e-commerce platform. This flaw allows an attacker to execute arbitrary code on a vulnerable system, potentially leading to complete compromise. The vulnerability affects versions of Bagisto up to and including v2.3.9, and a fix is available in version 2.3.10. Prompt patching is strongly recommended.
The impact of CVE-2026-21446 is severe. Successful exploitation allows an attacker to execute arbitrary code with the privileges of the web server process. This could enable attackers to gain complete control over the affected Bagisto instance, including access to sensitive customer data, modification of product catalogs, and even complete system takeover. The attacker could potentially use this foothold to pivot to other systems on the network, leading to broader data breaches and disruption. While no specific real-world exploitation has been publicly reported, the ease of exploitation and the potential impact make this a high-priority vulnerability.
CVE-2026-21446 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability’s ease of exploitation. The EPSS score is expected to be high due to the RCE nature and the potential for widespread impact. The vulnerability was publicly disclosed on January 2, 2026.
Organizations running Bagisto e-commerce platforms, particularly those using older versions (≤v2.3.9), are at significant risk. Shared hosting environments where multiple Bagisto instances are hosted on the same server are especially vulnerable, as a compromise of one instance could potentially impact others. Custom Bagisto installations or those with modified installer routes are also at increased risk.
• php: Examine web server access logs for requests to /install/api/env-file-setup from unusual IP addresses or user agents.
grep "/install/api/env-file-setup" /var/log/apache2/access.log | grep -v "127.0.0.1" • php: Check for modifications to the packages/Ibkul/Installer/src/Routes/Ib.php file. Unexpected changes could indicate an attempted exploit.
• generic web: Monitor for unusual processes running under the web server user account. Unexpected PHP scripts executing could indicate a successful exploit.
• generic web: Review the Bagisto installation directory permissions. Ensure that the web server user has only the necessary permissions to read and write files.
disclosure
patch
エクスプロイト状況
EPSS
0.14% (33% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-21446 is to immediately upgrade Bagisto to version 2.3.10 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the /install/api/env-file-setup endpoint using a web application firewall (WAF) or proxy server, blocking requests from untrusted sources. Carefully review and restrict file permissions on the Bagisto installation directory to minimize the potential impact of code execution. Monitor web server logs for suspicious activity, particularly requests targeting the vulnerable endpoint. After upgrading, confirm the fix by attempting a request to the /install/api/env-file-setup endpoint; it should return an error indicating access is denied.
Bagisto をバージョン 2.3.10 以降にアップデートしてください。このバージョンは、インストーラー API エンドポイントにおける認証の欠落の脆弱性を修正しています。アップデートすることで、未認証の攻撃者が管理者アカウントを作成したり、アプリケーションの設定を変更したりすることを防ぐことができます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-21446 is a critical Remote Code Execution vulnerability in Bagisto e-commerce platform versions up to v2.3.9, allowing attackers to execute arbitrary code.
You are affected if you are running Bagisto versions 2.3.9 or earlier. Upgrade to 2.3.10 or later to mitigate the risk.
Upgrade Bagisto to version 2.3.10 or later. As a temporary workaround, restrict access to the /install/api/env-file-setup endpoint.
While no active exploitation has been publicly confirmed, the ease of exploitation suggests it is likely to be targeted.
Refer to the official Bagisto security advisory for detailed information and updates: [https://bagisto.com/security/advisories](https://bagisto.com/security/advisories)