PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-60120 Webkul CVE debrief

CVE-2026-60120 is a stored cross-site scripting vulnerability in Bagisto before version 2.4.4. The vulnerability is caused by client-side template injection that allows unauthenticated attackers to execute arbitrary JavaScript in administrator browsers. This is achieved by registering a customer account with a malicious payload in the first or last name field. The create.blade.php template renders customer name fields without the Vue.js v-pre directive, causing Vue.js to evaluate stored template expressions as live JavaScript when an administrator opens the Create Order page for the affected customer.

Vendor
Webkul
Product
Bagisto
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-10
Advisory published
2026-07-09
Advisory updated
2026-07-10

Who should care

Administrators and users of Bagisto versions prior to 2.4.4 should be aware of this vulnerability and take immediate action to update their installations. Additionally, security teams and vulnerability managers should prioritize this CVE for patching and monitoring.

Technical summary

The vulnerability exists in the create.blade.php template of Bagisto, where customer name fields are rendered without the Vue.js v-pre directive. This allows an unauthenticated attacker to inject malicious JavaScript code by registering a customer account with a crafted payload in the first or last name field. When an administrator views the Create Order page for the affected customer, the injected JavaScript code is executed.

Defensive priority

Medium

Recommended defensive actions

  • Update Bagisto to version 2.4.4 or later
  • Implement input validation and sanitization for customer name fields
  • Use a web application firewall to detect and prevent XSS attacks
  • Monitor for suspicious activity and implement incident response plans
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-09T21:16:56.410Z and was last modified on 2026-07-10T16:16:38.640Z. The NVD entry is currently Received. Multiple sources confirm the vulnerability, including Vulncheck and the official CVE record.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T21:16:56.410Z and has not been modified since then. The NVD entry is currently Received.