CVE-2025-60880

high

Description

An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.

References

https://github.com/Shenal01/CVE-2025-60880

https://gist.github.com/daman-preet-singh/cd431f4c30a585bb87d3c69e4a8eec98

Details

Source: Mitre, NVD

Published: 2025-10-10

Updated: 2026-01-08

Risk Information

CVSS v2

Base Score: 8

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:P/A:C

Severity: High

CVSS v3

Base Score: 8.3

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:H

Severity: High

EPSS

EPSS: 0.00038