CVE-2026-21446

moderate-risk

Published 2026-01-02

Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue.

Do I need to act?

0.14% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: 813e28551dd1d3207b9e275e6c2bd63f68f0f8b0

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Bagisto

Affected Vendors

Webkul

References (2)

Patch https://github.com/bagisto/bagisto/commit/380c045e48490da740cd505fb192cc45e1809b...

Exploit https://github.com/bagisto/bagisto/security/advisories/GHSA-6h7w-v2xr-mqvw

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal