CVE-2025-62414

MEDIUM

Bagisto < 2.3.8 - Stored Cross-Site Scripting in Admin Create Customer Form

Title source: llm

Description

Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to Cross-Site Scripting (XSS). An attacker with access to the admin create-customer form can inject malicious JavaScript payloads into certain input fields. These payloads may later execute in the context of an admin’s browser or another user viewing the customer data, enabling session theft or admin-level actions. This vulnerability is fixed in 2.3.8.

References (1)

Core 1

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/bagisto/bagisto/security/advisories/GHSA-r9xj-mvqf-jm7w

Scores

CVSS v3 6.9

EPSS 0.0026

EPSS Percentile 16.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-80 CWE-79 CWE-87

Status published

Products (2)

bagisto/bagisto 0 - 2.3.8Packagist

webkul/bagisto 2.3.7

Published Oct 16, 2025

Tracked Since Feb 18, 2026