Home > Vulnerability Database > CVE-2025-60880

Mend.io Vulnerability Database

CVE-2025-60880

Good to know:

Date: October 9, 2025

An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.

Severity Score

8.3

Related Resources (7)

Url: https://github.com/bagisto/bagisto/commit/9ec40c99c34a83f311ffbb7c1039a59ff9d655cc

Url: https://github.com/Shenal01/CVE-2025-60880

Url: https://github.com/darylldoyle/svg-sanitizer/releases

Url: https://gist.github.com/daman-preet-singh/cd431f4c30a585bb87d3c69e4a8eec98

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-60880

Url: https://github.com/bagisto/bagisto

Url: https://www.mend.io/vulnerability-database/CVE-2025-60880

Severity Score

8.3

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version bagisto/bagisto - v2.3.7

Learn More

CVSS v3.1

Base Score:	8.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-60880

Good to know:

Date: October 9, 2025

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?