CVE-2025-40675

MEDIUM

Bagisto 2.0.0-2.2.2 - Reflected Cross-Site Scripting via Search Query Parameter

Title source: llm
STIX 2.1

Description

A Reflected Cross-Site Scripting (XSS) vulnerability has been found in Bagisto v2.0.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the parameter 'query' in '/search'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.

Scores

CVSS v3 6.1
EPSS 0.0019
EPSS Percentile 9.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
webkul/bagisto 2.0.0 - 2.2.3
Published Jun 09, 2025
Tracked Since Feb 18, 2026