CVE-2025-60880

Exploit

EPSS 0.39%
Veröffentlicht 10.10.2025 00:00:00
Zuletzt bearbeitet 08.01.2026 21:27:07
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Webkul ≫ Bagisto Version2.3.6

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.39%	0.305

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.3	1.7	6	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:H
cve@mitre.org	8.3	1.7	6	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:H

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/Shenal01/CVE-2025-60880

Third Party Advisory

Exploit

https://gist.github.com/daman-preet-singh/cd431f4c30a585bb87d3c69e4a8eec98

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-60880

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-60880

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-60880

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-60880