CVE-2025-60880

EUVD-2025-33764
An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.3 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:H
mitreCNA
8.3 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AC:L/AV:N/A:H/C:H/I:L/PR:H/S:C/UI:R
Base Score
CVSS 3.x
EPSS Score
Percentile: 7%
Affected Products (NVD)
VendorProductVersion
webkulbagisto
2.3.6
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://gist.github.com/daman-preet-singh/cd431f4c30a585bb87d3c69e4a8eec98
https://github.com/Shenal01/CVE-2025-60880