HIGHCVE-2026-21447Published 2026-01-02Modified 2026-01-02CNA GitHub_M

CVE-2026-21447: Bagisto has IDOR in Customer Order Reorder Functionality

Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

bagisto / bagisto
< 2.3.10

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

References

https://github.com/bagisto/bagisto/security/advisories/GHSA-x5rw-qvvp-5cgm
https://github.com/bagisto/bagisto/commit/b2b1cf62577245d03a68532478cffbe321df74d3

Metrics