Webkul 漏洞与 CVE 列表(56)

产品(CPE): — CVE 数: 56

Webkul 漏洞概览

汇总 Webkul 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。

历史漏洞主要涉及 跨站脚本与CSRF 等问题,部分漏洞可能导致 会话劫持,并影响 生产负载与软件部署 相关场景。

相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。

漏洞分布趋势(近 24 个月)

显示 12056 CVE 数
«« 第一页 « 上一页 第 1 / 3 页 下一页 »
CVE 摘要 来源 最高 CVSS EPSS % 公开时间 更新时间
CVE-2026-9506 This vulnerability exists in Bagisto due to improper validation of user-supplied input in the ImageCacheController component. An unauthenticated remote attacker could exploit this vulnerability by sending crafted path traversal sequences through the filename parameter to access arbitrary files outside the intended directory on the targeted system. Successful exploitation of this vulnerability could allow an attacker to read arbitrary sensitive files on the targeted system. [email protected] 8.7 0.46% 2026-06-08 2026-06-17
CVE-2026-38532 A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request. [email protected] 8.1 0.35% 2026-04-14 2026-06-17
CVE-2026-38530 A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request. [email protected] 8.1 0.35% 2026-04-14 2026-06-17
CVE-2026-38529 A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request. [email protected] 8.8 0.62% 2026-04-14 2026-06-17
CVE-2021-41074 A CSRF issue in index.php in QloApps hotel eCommerce 1.5.1 allows an attacker to change the admin's email address via a crafted HTML document. [email protected] 5.4 0.12% 2026-01-12 2026-06-17
CVE-2025-67325 Unrestricted file upload in the hotel review feature in QloApps versions 1.7.0 and earlier allows remote unauthenticated attackers to achieve remote code execution. [email protected] 9.8 0.83% 2026-01-08 2026-06-17
CVE-2026-21451 Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize `<script>` tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be stored in the CMS content and executed whenever the page is viewed or edited. This exposes administrators to a high-severity [email protected] 5.2 0.49% 2026-01-02 2026-06-17
CVE-2026-21450 Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue. [email protected] 7.3 1.23% 2026-01-02 2026-06-17
CVE-2026-21449 Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name from a low-privilege user. Version 2.3.10 fixes the issue. [email protected] 7.4 0.46% 2026-01-02 2026-06-17
CVE-2026-21448 Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the `add address` step they can inject a value to run in admin view. The issue can lead to remote code execution. Version 2.3.10 contains a patch. [email protected] 8.9 0.83% 2026-01-02 2026-06-17
CVE-2026-21447 Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue. [email protected] 7.1 0.27% 2026-01-02 2026-06-17
CVE-2026-21446 Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwri [email protected] 8.8 0.58% 2026-01-02 2026-06-17
CVE-2025-62418 Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. This vulnerability is fixed in 2.3.8. [email protected] 6.9 0.26% 2025-10-16 2026-06-17
CVE-2025-62417 Bagisto is an open source laravel eCommerce platform. When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as a formula. This allows an attacker to supply a CSV field (e.g., product name) that contains a formula which may be evaluated by a victim’s spreadsheet application — potentially leading to data exfiltration and remote com [email protected] 7.1 0.36% 2025-10-16 2026-06-17
CVE-2025-62416 Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend — potentially leading to Remote Code Execution (RCE) on the server. This vulnerability is fixed in 2.3.8. [email protected] 5.1 0.37% 2025-10-16 2026-06-17
CVE-2025-62415 Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. This vulnerability is fixed in 2.3.8. [email protected] 6.9 0.26% 2025-10-16 2026-06-17
CVE-2025-62414 Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to Cross-Site Scripting (XSS). An attacker with access to the admin create-customer form can inject malicious JavaScript payloads into certain input fields. These payloads may later execute in the context of an admin’s browser or another user viewing the customer data, enabling session theft or admin-level actions. This vulnerability is fixed in 2.3.8. [email protected] 6.9 0.26% 2025-10-16 2026-06-17
CVE-2025-60880 An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions. [email protected] 8.3 0.39% 2025-10-10 2026-06-17
CVE-2025-56426 An issue WebKul Bagisto v.2.3.6 allows a remote attacker to execute arbitrary code via the Cart/Checkout API endpoint, specifically, the price calculation logic fails to validate quantity inputs properly. [email protected] 6.5 0.37% 2025-10-09 2026-06-17
CVE-2025-10759 A vulnerability was detected in Webkul QloApps up to 1.7.0. This affects an unknown function of the component CSRF Token Handler. Performing manipulation of the argument token results in authorization bypass. The attack may be initiated remotely. The exploit is now public and may be used. The vendor explains: "As We are already aware about this vulnerability and our Internal team are already working on this issue. (...) We'll implement the fix for this vulnerability in our next major release." [email protected] 5.5 0.31% 2025-09-20 2026-06-17
«« 第一页 « 上一页 第 1 / 3 页 下一页 »
cvelogic Threat Intelligence