Plataforma
php
Componente
bagisto/bagisto
Corrigido em
2.3.1
2.3.11
2.3.10
CVE-2026-21446 represents a critical Remote Code Execution (RCE) vulnerability discovered in the Bagisto e-commerce platform. This flaw allows an attacker to execute arbitrary code on a vulnerable system, potentially leading to complete compromise. The vulnerability affects versions of Bagisto up to and including v2.3.9, and a fix is available in version 2.3.10. Prompt patching is strongly recommended.
The impact of CVE-2026-21446 is severe. Successful exploitation allows an attacker to execute arbitrary code with the privileges of the web server process. This could enable attackers to gain complete control over the affected Bagisto instance, including access to sensitive customer data, modification of product catalogs, and even complete system takeover. The attacker could potentially use this foothold to pivot to other systems on the network, leading to broader data breaches and disruption. While no specific real-world exploitation has been publicly reported, the ease of exploitation and the potential impact make this a high-priority vulnerability.
CVE-2026-21446 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability’s ease of exploitation. The EPSS score is expected to be high due to the RCE nature and the potential for widespread impact. The vulnerability was publicly disclosed on January 2, 2026.
Organizations running Bagisto e-commerce platforms, particularly those using older versions (≤v2.3.9), are at significant risk. Shared hosting environments where multiple Bagisto instances are hosted on the same server are especially vulnerable, as a compromise of one instance could potentially impact others. Custom Bagisto installations or those with modified installer routes are also at increased risk.
• php: Examine web server access logs for requests to /install/api/env-file-setup from unusual IP addresses or user agents.
grep "/install/api/env-file-setup" /var/log/apache2/access.log | grep -v "127.0.0.1" • php: Check for modifications to the packages/Ibkul/Installer/src/Routes/Ib.php file. Unexpected changes could indicate an attempted exploit.
• generic web: Monitor for unusual processes running under the web server user account. Unexpected PHP scripts executing could indicate a successful exploit.
• generic web: Review the Bagisto installation directory permissions. Ensure that the web server user has only the necessary permissions to read and write files.
disclosure
patch
Status do Exploit
EPSS
0.14% (percentil 33%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-21446 is to immediately upgrade Bagisto to version 2.3.10 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the /install/api/env-file-setup endpoint using a web application firewall (WAF) or proxy server, blocking requests from untrusted sources. Carefully review and restrict file permissions on the Bagisto installation directory to minimize the potential impact of code execution. Monitor web server logs for suspicious activity, particularly requests targeting the vulnerable endpoint. After upgrading, confirm the fix by attempting a request to the /install/api/env-file-setup endpoint; it should return an error indicating access is denied.
Atualize Bagisto para a versão 2.3.10 ou superior. Esta versão corrige a vulnerabilidade de falta de autenticação nos endpoints da API do instalador. A atualização impedirá que atacantes não autenticados criem contas de administrador ou modifiquem a configuração da aplicação.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-21446 is a critical Remote Code Execution vulnerability in Bagisto e-commerce platform versions up to v2.3.9, allowing attackers to execute arbitrary code.
You are affected if you are running Bagisto versions 2.3.9 or earlier. Upgrade to 2.3.10 or later to mitigate the risk.
Upgrade Bagisto to version 2.3.10 or later. As a temporary workaround, restrict access to the /install/api/env-file-setup endpoint.
While no active exploitation has been publicly confirmed, the ease of exploitation suggests it is likely to be targeted.
Refer to the official Bagisto security advisory for detailed information and updates: [https://bagisto.com/security/advisories](https://bagisto.com/security/advisories)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.