CVE-2026-21447

moderate-risk

Published 2026-01-02

Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue.

Do I need to act?

0.02% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.1/10 High

NETWORK / LOW complexity

Affected Products (1)

Bagisto

Affected Vendors

Webkul

References (2)

Patch https://github.com/bagisto/bagisto/commit/b2b1cf62577245d03a68532478cffbe321df74...

Exploit https://github.com/bagisto/bagisto/security/advisories/GHSA-x5rw-qvvp-5cgm

/ 100

moderate-risk

Severity 25/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal