PrestaShop Open source ecommerce solution

By the Year

In 2026 there have been 3 vulnerabilities in PrestaShop with an average score of 5.0 out of ten. Last year, in 2025 PrestaShop had 3 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in PrestaShop in 2026 could surpass last years number.

Recent PrestaShop Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-33674	Mar 26, 2026	PrestaShop <8.2.5/9.1.0 Validation Framework Vulnerability PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 improperly use the validation framework. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available.	Prestashop
CVE-2026-33673	Mar 26, 2026	PrestaShop 8.2.5/9.1.0 Stored XSS in BO Templates PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously existing vulnerability, can exploit unprotected variables in back-office templates. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available.	Prestashop
CVE-2026-25597	Feb 06, 2026	PrestaShop <8.2.4 & <9.0.3: Time-based User Enum in Auth PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. This vulnerability is fixed in 8.2.4 and 9.0.3.	Prestashop
CVE-2025-25692	Jul 30, 2025	PHAR Deserialization RCE in PrestaShop _getHeaders 8.2.0 A PHAR deserialization vulnerability in the _getHeaders function of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request.	Prestashop
CVE-2025-25691	Jul 30, 2025	PrestaShop 8.2.0 PHAR Deserialization RCE via /themes/import A PHAR deserialization vulnerability in the component /themes/import of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request.	Prestashop
CVE-2025-1230	Feb 12, 2025	Stored XSS in Prestashop 8.1.7 via /admin/index.php link param Stored Cross-Site Scripting (XSS) vulnerability in Prestashop 8.1.7, due to the lack of proper validation of user input through /<admin_directory>/index.php, affecting the link parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.	Prestashop
CVE-2024-36626	Nov 29, 2024	PrestaShop Tools.php NULL Pointer Dereference Vulnerability In prestashop 8.1.4, a NULL pointer dereference was identified in the math_round function within Tools.php.	Prestashop
CVE-2024-41651	Aug 12, 2024	PrestaShop 8.1.7 and prior: Remote Arbitrary Code Exec via Module Upgrade An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admin user (who, by design, is allowed to change the code that is running on the server).	Prestashop
CVE-2024-36684	Jun 19, 2024	PrestaShop pk_customlinks 2.3 SQLi via ajax.php In the module "Custom links" (pk_customlinks) <= 2.3 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The script ajax.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.	Pk Customlinks
CVE-2024-34717	May 14, 2024	PrestaShop 8.1.5 Anonymous Invoice Download via Secure_Key (Fixed in 8.1.6) PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available.	Prestashop
CVE-2024-34716	May 14, 2024	PrestaShop XSS via Customer-Thread Upload (8.1.0-8.1.5) fixed in 8.1.6 PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is enabled through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. The script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right. This vulnerability is patched in 8.1.6. A workaround is to disable the customer-thread feature-flag.	Prestashop
CVE-2024-28390	Mar 14, 2024	Priv Escalation via Improper AC in PrestaShop UltimateImageTool <2.2.01 An issue in Advanced Plugins ultimateimagetool module for PrestaShop before v.2.2.01, allows a remote attacker to escalate privileges and obtain sensitive information via Improper Access Control.	Prestashop
CVE-2024-28391	Mar 14, 2024	SQLi in FME Modules quickproducttable (PrestaShop v1.2.1) via CSV Read SQL injection vulnerability in FME Modules quickproducttable module for PrestaShop v.1.2.1 and before, allows a remote attacker to escalate privileges and obtain information via the readCsv(), displayAjaxProductChangeAttr, displayAjaxProductAddToCart, getSearchProducts, and displayAjaxProductSku methods.	Prestashop
CVE-2024-25847	Mar 03, 2024	PrestaShop <6.5.0 SimpleImportProduct SQLi + privilege escalation SQL Injection vulnerability in MyPrestaModules "Product Catalog (CSV, Excel) Import" (simpleimportproduct) modules for PrestaShop versions 6.5.0 and before, allows attackers to escalate privileges and obtain sensitive information via Send::__construct() and importProducts::_addDataToDb methods.	Prestashop
CVE-2024-25844	Mar 03, 2024	PrestaShop <=4.1.26 soflexibilite Module Priv Esc via Debug File An issue was discovered in Common-Services "So Flexibilite" (soflexibilite) module for PrestaShop before version 4.1.26, allows remote attackers to escalate privileges and obtain sensitive information via debug file.	Prestashop
CVE-2024-25843	Feb 27, 2024	SQLi in ba_importer <1.1.28 (Buy Addons for PrestaShop) guest exploit In the module "Import/Update Bulk Product from any Csv/Excel File Pro" (ba_importer) up to version 1.1.28 from Buy Addons for PrestaShop, a guest can perform SQL injection in affected versions.	Importupdate Bulk Product
CVE-2024-25841	Feb 27, 2024	PrestaShop <4.1.26 XSS via So Flexibilite (soflexibilite) module In the module "So Flexibilite" (soflexibilite) from Common-Services for PrestaShop < 4.1.26, a guest (authenticated customer) can perform Cross Site Scripting (XSS) injection.	Prestashop
CVE-2024-26129	Feb 19, 2024	PrestaShop 8.1.0-8.1.3 Path Disclosure via JS Variable PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4.	Prestashop
CVE-2023-46350	Feb 09, 2024	PrestaShop idxrmanufacturer SQLi before 2.0.4 SQL injection vulnerability in InnovaDeluxe "Manufacturer or supplier alphabetical search" (idxrmanufacturer) module for PrestaShop versions 2.0.4 and before, allows remote attackers to escalate privileges and obtain sensitive information via the methods IdxrmanufacturerFunctions::getCornersLink, IdxrmanufacturerFunctions::getManufacturersLike and IdxrmanufacturerFunctions::getSuppliersLike.	Prestashop
CVE-2023-48926	Jan 16, 2024	202 Ecommerce Advanced Loyalty Points <v2.3.4 Unauth Order Status Change An issue in 202 ecommerce Advanced Loyalty Program: Loyalty Points before v2.3.4 for PrestaShop allows unauthenticated attackers to arbitrarily change an order status.	Advanced Loyalty Program
CVE-2024-21628	Jan 02, 2024	PrestaShop 8.1.3 XSS via isCleanHtml in message form (CVE-2024-21628) PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this this form, which makes it possible to store a cross-site scripting payload in the database. The impact is low because the HTML is not interpreted in BO, thanks to twig's escape mechanism. In FO, the cross-site scripting attack is effective, but only impacts the customer sending it, or the customer session from which it was sent. This issue affects those who have a module fetching these messages from the DB and displaying it without escaping HTML. Version 8.1.3 contains a patch for this issue.	Prestashop
CVE-2024-21627	Jan 02, 2024	PrestaShop XSS via isCleanHTML before 8.1.3/1.7.8.11 PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain a patch for this issue. The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`.	Prestashop
CVE-2023-45377	Nov 22, 2023	SQLi in PrestaShop Chronopost Official Module (cancelSkybill.php) In the module "Chronopost Official" (chronopost) for PrestaShop, a guest can perform SQL injection. The script PHP `cancelSkybill.php` own a sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.	Prestashop
CVE-2023-47110	Nov 09, 2023	PrestaShop blockreassurance v5.1.4: Ajax Config Write Remote blockreassurance adds an information block aimed at offering helpful information to reassure customers that their store is trustworthy. An ajax function in module blockreassurance allows modifying any value in the configuration table. This vulnerability has been patched in version 5.1.4.	Customer Reassurance Block
CVE-2023-47109	Nov 08, 2023	CVE-2023-47109 PrestaShop blockreassurance 5.1.3 DTR + Unrestricted File Delete via BO PrestaShop blockreassurance adds an information block aimed at offering helpful information to reassure customers that the store is trustworthy. When adding a block in blockreassurance module, a BO user can modify the http request and give the path of any file in the project instead of an image. When deleting the block from the BO, the file will be deleted. It is possible to make the website completely unavailable by removing index.php for example. This issue has been patched in version 5.1.4.	Customer Reassurance Block
CVE-2023-36263	Oct 31, 2023	PrestaShop opartlimitquantity SQL Injection before 1.4.5 Prestashop opartlimitquantity 1.4.5 and before is vulnerable to SQL Injection. OpartlimitquantityAlertlimitModuleFrontController::displayAjaxPushAlertMessage()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.	Opartlimitquantity Prestashop
CVE-2023-39647	Oct 03, 2023	SQLi in ThemeVolty CMS Category Product module before v4.0.2 PrestaShop Improper neutralization of SQL parameter in Theme Volty CMS Category Product module for PrestaShop. In the module Theme Volty CMS Category Product (tvcmscategoryproduct) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.	Prestashop
CVE-2023-43663	Sep 28, 2023	PrestaShop modules can be disabled by low-privileged users (Fixed in 8.1.2) PrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back office, even with low user right. This allows low privileged users to disable portions of a shops functionality. Commit `ce1f6708` addresses this issue and is included in version 8.1.2. Users are advised to upgrade. There are no known workarounds for this issue.	Prestashop
CVE-2023-43664	Sep 28, 2023	PrestaShop 8.1.x BO ACL Bypass via ajaxProcGetPossibleHookList (fixed 8.1.2) PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` doesn't check access rights. This issue has been addressed in commit `15bd281c` which is included in version 8.1.2. Users are advised to upgrade. There are no known workaround for this issue.	Prestashop
CVE-2023-34576	Sep 21, 2023	PrestaShop opartfaq<=1.0.3 SQL Injection via updatepos.php SQL injection vulnerability in updatepos.php in PrestaShop opartfaq through 1.0.3 allows remote attackers to run arbitrary SQL commands via unspedified vector.	Prestashop
CVE-2023-34575	Sep 20, 2023	SQLi in PrestaShop oPartsSaveCart (2.0.7) via OpartSaveCartDefaultModuleFrontController SQL injection vulnerability in PrestaShop opartsavecart through 2.0.7 allows remote attackers to run arbitrary SQL commands via OpartSaveCartDefaultModuleFrontController::initContent() and OpartSaveCartDefaultModuleFrontController::displayAjaxSendCartByEmail() methods.	Prestashop
CVE-2022-45448	Sep 20, 2023	M4 PDF plugin for Prestashop 3.2.3 vulnerable to arbitrary HTML crafting M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to an arbitrary HTML Document crafting vulnerability. The resource /m4pdf/pdf.php uses templates to dynamically create documents. In the case that the template does not exist, the application will return a fixed document with a message in mpdf format. An attacker could exploit this vulnerability by inputting a valid HTML/CSS document as the value of the parameter.	M4 Pdf
CVE-2022-45447	Sep 20, 2023	Prestashop M4PDF Plugin <=3.2.3 dir trav via f param M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to a directory traversal vulnerability. The f parameter is not properly checked in the resource /m4pdf/pdf.php, returning any file given its relative path. An attacker that exploits this vulnerability could download /etc/passwd from the server if the file exists.	M4 Pdf
CVE-2023-39530	Aug 07, 2023	CVE-2023-39530: PrestaShop <=8.1.1 Remote File Deletion via CustomerMessage API PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete files from the server via the CustomerMessage API. Version 8.1.1 contains a patch for this issue. There are no known workarounds.	Prestashop
CVE-2023-39529	Aug 07, 2023	File Deletion via Attachments API in PrestaShop <8.1.1 PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete a file from the server by using the Attachments controller and the Attachments API. Version 8.1.1 contains a patch for this issue. There are no known workarounds.	Prestashop
CVE-2023-39528	Aug 07, 2023	PrestaShop <=8.1.0 RFI via displayAjaxEmailHTML (File read) PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, the `displayAjaxEmailHTML` method can be used to read any file on the server, potentially even outside of the project if the server is not correctly configured. Version 8.1.1 contains a patch for this issue. There are no known workarounds.	Prestashop
CVE-2023-39527	Aug 07, 2023	PrestaShop XSS in isCleanHTML (pre1.7.8.10/8.0.5/8.1.1) PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to cross-site scripting through the `isCleanHTML` method. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds.	Prestashop
CVE-2023-39526	Aug 07, 2023	PrestaShop Backoffice RCE via SQLi before 1.7.8.10/8.0.5/8.1.1 PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to remote code execution through SQL injection and arbitrary file write in the back office. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds.	Prestashop
CVE-2023-39525	Aug 07, 2023	PrestaShop 8.1.0 Path Traversal via Import File Deletion in Back Office PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, in the back office, files can be compromised using path traversal by replaying the import file deletion query with a specified file path that uses the traversal path. Version 8.1.1 contains a patch for this issue. There are no known workarounds.	Prestashop
CVE-2023-39524	Aug 07, 2023	PrestaShop <=8.1.1 SQL Injection in BackOffice Product Page PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, SQL injection possible in the product search field, in BO's product page. Version 8.1.1 contains a patch for this issue. There are no known workarounds.	Prestashop
CVE-2023-33777	Jul 25, 2023	Prestashop Amazon pre-5.2.24 dir traversal via fbaorder.php An issue in /functions/fbaorder.php of Prestashop amazon before v5.2.24 allows attackers to execute a directory traversal attack.	Amazon
CVE-2023-30153	Jul 18, 2023	SQL Injection in Payplug Module for PrestaShop 3.6.x-3.7.x via ajax.php An SQL injection vulnerability in the Payplug (payplug) module for PrestaShop, in versions 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.0 and 3.7.1, allows remote attackers to execute arbitrary SQL commands via the ajax.php front controller.	Payplug
CVE-2023-30151	Jul 13, 2023	SQL injection in Boxtal PrestaShop module >=3.1.10 A SQL injection vulnerability in the Boxtal (envoimoinscher) module for PrestaShop, after version 3.1.10, allows remote attackers to execute arbitrary SQL commands via the `key` GET parameter.	Prestashop
CVE-2023-31672	Jun 15, 2023	PrestaShop <2.4.3 length-weight module SQL injection In the PrestaShop < 2.4.3 module "Length, weight or volume sell" (ailinear) there is a SQL injection vulnerability.	Prestashop
CVE-2023-31671	Jun 14, 2023	PrestaShop Postfinance SQLi via postProcess() v<=17.1.13 PrestaShop postfinance <= 17.1.13 is vulnerable to SQL Injection via PostfinanceValidationModuleFrontController::postProcess().	Prestashop
CVE-2023-33279	May 25, 2023	PrestaShop scfixmyprestashop Blind SQLi via HTTP In the Store Commander scfixmyprestashop module through 2023-05-09 for PrestaShop, sensitive SQL calls can be executed with a trivial HTTP request and exploited to forge a blind SQL injection.	Prestashop
CVE-2023-30199	May 19, 2023	Prestashop customexporter <=1.7.20 Incorrect Access Control via download.php Prestashop customexporter <= 1.7.20 is vulnerable to Incorrect Access Control via modules/customexporter/downloads/download.php.	Prestashop
CVE-2023-30192	May 12, 2023	Prestashop possearchproducts 1.7 SQLi via PosSearch::find() Prestashop possearchproducts 1.7 is vulnerable to SQL Injection via PosSearch::find().	Possearchproducts
CVE-2023-31508	May 11, 2023	Unknown product vulnerability - duplicate CVE-2023-31508 ** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2020-15178. Reason: This record is a duplicate of CVE-2020-15178. Notes: All CVE users should reference CVE-2020-15178 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.	Prestashop
CVE-2023-30194	May 10, 2023	Prestashop posstaticfooter <=1.0.0 SQLi via getPosCurrentHook() Prestashop posstaticfooter <= 1.0.0 is vulnerable to SQL Injection via posstaticfooter::getPosCurrentHook().	Poststaticfooter