PatchSiren cyber security CVE debrief
CVE-2026-60120 Webkul CVE debrief
CVE-2026-60120 is a stored cross-site scripting vulnerability in Bagisto before version 2.4.4. The vulnerability is caused by client-side template injection that allows unauthenticated attackers to execute arbitrary JavaScript in administrator browsers. This is achieved by registering a customer account with a malicious payload in the first or last name field. The create.blade.php template renders customer name fields without the Vue.js v-pre directive, causing Vue.js to evaluate stored template expressions as live JavaScript when an administrator opens the Create Order page for the affected customer.
- Vendor
- Webkul
- Product
- Bagisto
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-09
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-09
- Advisory updated
- 2026-07-10
Who should care
Administrators and users of Bagisto versions prior to 2.4.4 should be aware of this vulnerability and take immediate action to update their installations. Additionally, security teams and vulnerability managers should prioritize this CVE for patching and monitoring.
Technical summary
The vulnerability exists in the create.blade.php template of Bagisto, where customer name fields are rendered without the Vue.js v-pre directive. This allows an unauthenticated attacker to inject malicious JavaScript code by registering a customer account with a crafted payload in the first or last name field. When an administrator views the Create Order page for the affected customer, the injected JavaScript code is executed.
Defensive priority
Medium
Recommended defensive actions
- Update Bagisto to version 2.4.4 or later
- Implement input validation and sanitization for customer name fields
- Use a web application firewall to detect and prevent XSS attacks
- Monitor for suspicious activity and implement incident response plans
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-09T21:16:56.410Z and was last modified on 2026-07-10T16:16:38.640Z. The NVD entry is currently Received. Multiple sources confirm the vulnerability, including Vulncheck and the official CVE record.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T21:16:56.410Z and has not been modified since then. The NVD entry is currently Received.