CVE-2025-60880 | THREATINT

Description

An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.

PUBLISHED Reserved 2025-09-26 | Published 2025-10-10 | Updated 2025-10-10 | Assigner mitre

HIGH: 8.3CVSS:3.1/AC:L/AV:N/A:H/C:H/I:L/PR:H/S:C/UI:R

References

github.com/Shenal01/CVE-2025-60880

cve.org (CVE-2025-60880)

nvd.nist.gov (CVE-2025-60880)

Download JSON