PrestaShop

PrestaShop <8.2.5/9.1.0 Validation Framework Vulnerability
CVE-2026-33674 2 - Low - March 26, 2026

PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 improperly use the validation framework. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available.

Improper Use of Validation Framework

PrestaShop 8.2.5/9.1.0 Stored XSS in BO Templates
CVE-2026-33673 7.7 - High - March 26, 2026

PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously existing vulnerability, can exploit unprotected variables in back-office templates. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available.

XSS

PrestaShop <8.2.4 & <9.0.3: Time-based User Enum in Auth
CVE-2026-25597 5.3 - Medium - February 06, 2026

PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. This vulnerability is fixed in 8.2.4 and 9.0.3.

Observable Timing Discrepancy

PHAR Deserialization RCE in PrestaShop _getHeaders 8.2.0
CVE-2025-25692 - July 30, 2025

A PHAR deserialization vulnerability in the _getHeaders function of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request.

PrestaShop 8.2.0 PHAR Deserialization RCE via /themes/import
CVE-2025-25691 - July 30, 2025

A PHAR deserialization vulnerability in the component /themes/import of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request.

Stored XSS in Prestashop 8.1.7 via /admin/index.php link param
CVE-2025-1230 - February 12, 2025

Stored Cross-Site Scripting (XSS) vulnerability in Prestashop 8.1.7, due to the lack of proper validation of user input through /<admin_directory>/index.php, affecting the link parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.

XSS

PrestaShop Tools.php NULL Pointer Dereference Vulnerability
CVE-2024-36626 - November 29, 2024

In prestashop 8.1.4, a NULL pointer dereference was identified in the math_round function within Tools.php.

PrestaShop 8.1.7 and prior: Remote Arbitrary Code Exec via Module Upgrade
CVE-2024-41651 8.1 - High - August 12, 2024

An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admin user (who, by design, is allowed to change the code that is running on the server).

SSRF

PrestaShop 8.1.5 Anonymous Invoice Download via Secure_Key (Fixed in 8.1.6)
CVE-2024-34717 5.3 - Medium - May 14, 2024

PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available.

PrestaShop XSS via Customer-Thread Upload (8.1.0-8.1.5) fixed in 8.1.6
CVE-2024-34716 6.1 - Medium - May 14, 2024

PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is enabled through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. The script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right. This vulnerability is patched in 8.1.6. A workaround is to disable the customer-thread feature-flag.

XSS

SQLi in FME Modules quickproducttable (PrestaShop v1.2.1) via CSV Read
CVE-2024-28391 - March 14, 2024

SQL injection vulnerability in FME Modules quickproducttable module for PrestaShop v.1.2.1 and before, allows a remote attacker to escalate privileges and obtain information via the readCsv(), displayAjaxProductChangeAttr, displayAjaxProductAddToCart, getSearchProducts, and displayAjaxProductSku methods.

Priv Escalation via Improper AC in PrestaShop UltimateImageTool <2.2.01
CVE-2024-28390 - March 14, 2024

An issue in Advanced Plugins ultimateimagetool module for PrestaShop before v.2.2.01, allows a remote attacker to escalate privileges and obtain sensitive information via Improper Access Control.

PrestaShop <6.5.0 SimpleImportProduct SQLi + privilege escalation
CVE-2024-25847 - March 03, 2024

SQL Injection vulnerability in MyPrestaModules "Product Catalog (CSV, Excel) Import" (simpleimportproduct) modules for PrestaShop versions 6.5.0 and before, allows attackers to escalate privileges and obtain sensitive information via Send::__construct() and importProducts::_addDataToDb methods.

PrestaShop <=4.1.26 soflexibilite Module Priv Esc via Debug File
CVE-2024-25844 - March 03, 2024

An issue was discovered in Common-Services "So Flexibilite" (soflexibilite) module for PrestaShop before version 4.1.26, allows remote attackers to escalate privileges and obtain sensitive information via debug file.

PrestaShop <4.1.26 XSS via So Flexibilite (soflexibilite) module
CVE-2024-25841 - February 27, 2024

In the module "So Flexibilite" (soflexibilite) from Common-Services for PrestaShop < 4.1.26, a guest (authenticated customer) can perform Cross Site Scripting (XSS) injection.

PrestaShop 8.1.0-8.1.3 Path Disclosure via JS Variable
CVE-2024-26129 5.3 - Medium - February 19, 2024

PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4.

Directory traversal

PrestaShop idxrmanufacturer SQLi before 2.0.4
CVE-2023-46350 9.8 - Critical - February 09, 2024

SQL injection vulnerability in InnovaDeluxe "Manufacturer or supplier alphabetical search" (idxrmanufacturer) module for PrestaShop versions 2.0.4 and before, allows remote attackers to escalate privileges and obtain sensitive information via the methods IdxrmanufacturerFunctions::getCornersLink, IdxrmanufacturerFunctions::getManufacturersLike and IdxrmanufacturerFunctions::getSuppliersLike.

SQL Injection

PrestaShop 8.1.3 XSS via isCleanHtml in message form (CVE-2024-21628)
CVE-2024-21628 6.1 - Medium - January 02, 2024

PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this this form, which makes it possible to store a cross-site scripting payload in the database. The impact is low because the HTML is not interpreted in BO, thanks to twig's escape mechanism. In FO, the cross-site scripting attack is effective, but only impacts the customer sending it, or the customer session from which it was sent. This issue affects those who have a module fetching these messages from the DB and displaying it without escaping HTML. Version 8.1.3 contains a patch for this issue.

XSS

PrestaShop XSS via isCleanHTML before 8.1.3/1.7.8.11
CVE-2024-21627 6.1 - Medium - January 02, 2024

PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain a patch for this issue. The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`.

XSS

SQLi in PrestaShop Chronopost Official Module (cancelSkybill.php)
CVE-2023-45377 9.8 - Critical - November 22, 2023

In the module "Chronopost Official" (chronopost) for PrestaShop, a guest can perform SQL injection. The script PHP `cancelSkybill.php` own a sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

SQL Injection

PrestaShop opartlimitquantity SQL Injection before 1.4.5
CVE-2023-36263 9.8 - Critical - October 31, 2023

Prestashop opartlimitquantity 1.4.5 and before is vulnerable to SQL Injection. OpartlimitquantityAlertlimitModuleFrontController::displayAjaxPushAlertMessage()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

SQL Injection

SQLi in ThemeVolty CMS Category Product module before v4.0.2 PrestaShop
CVE-2023-39647 9.8 - Critical - October 03, 2023

Improper neutralization of SQL parameter in Theme Volty CMS Category Product module for PrestaShop. In the module Theme Volty CMS Category Product (tvcmscategoryproduct) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.

SQL Injection

PrestaShop modules can be disabled by low-privileged users (Fixed in 8.1.2)
CVE-2023-43663 4.3 - Medium - September 28, 2023

PrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back office, even with low user right. This allows low privileged users to disable portions of a shops functionality. Commit `ce1f6708` addresses this issue and is included in version 8.1.2. Users are advised to upgrade. There are no known workarounds for this issue.

Improper Privilege Management

PrestaShop 8.1.x BO ACL Bypass via ajaxProcGetPossibleHookList (fixed 8.1.2)
CVE-2023-43664 4.3 - Medium - September 28, 2023

PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` doesn't check access rights. This issue has been addressed in commit `15bd281c` which is included in version 8.1.2. Users are advised to upgrade. There are no known workaround for this issue.

Improper Privilege Management

PrestaShop opartfaq<=1.0.3 SQL Injection via updatepos.php
CVE-2023-34576 9.8 - Critical - September 21, 2023

SQL injection vulnerability in updatepos.php in PrestaShop opartfaq through 1.0.3 allows remote attackers to run arbitrary SQL commands via unspedified vector.

SQL Injection

SQLi in PrestaShop oPartsSaveCart (2.0.7) via OpartSaveCartDefaultModuleFrontController
CVE-2023-34575 9.8 - Critical - September 20, 2023

SQL injection vulnerability in PrestaShop opartsavecart through 2.0.7 allows remote attackers to run arbitrary SQL commands via OpartSaveCartDefaultModuleFrontController::initContent() and OpartSaveCartDefaultModuleFrontController::displayAjaxSendCartByEmail() methods.

SQL Injection

PrestaShop 8.1.0 Path Traversal via Import File Deletion in Back Office
CVE-2023-39525 9.1 - Critical - August 07, 2023

PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, in the back office, files can be compromised using path traversal by replaying the import file deletion query with a specified file path that uses the traversal path. Version 8.1.1 contains a patch for this issue. There are no known workarounds.

Directory traversal

PrestaShop Backoffice RCE via SQLi before 1.7.8.10/8.0.5/8.1.1
CVE-2023-39526 9.8 - Critical - August 07, 2023

PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to remote code execution through SQL injection and arbitrary file write in the back office. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds.

SQL Injection

PrestaShop XSS in isCleanHTML (pre1.7.8.10/8.0.5/8.1.1)
CVE-2023-39527 6.1 - Medium - August 07, 2023

PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to cross-site scripting through the `isCleanHTML` method. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds.

XSS

PrestaShop <=8.1.0 RFI via displayAjaxEmailHTML (File read)
CVE-2023-39528 8.6 - High - August 07, 2023

PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, the `displayAjaxEmailHTML` method can be used to read any file on the server, potentially even outside of the project if the server is not correctly configured. Version 8.1.1 contains a patch for this issue. There are no known workarounds.

Directory traversal

File Deletion via Attachments API in PrestaShop <8.1.1
CVE-2023-39529 9.1 - Critical - August 07, 2023

PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete a file from the server by using the Attachments controller and the Attachments API. Version 8.1.1 contains a patch for this issue. There are no known workarounds.

CVE-2023-39530: PrestaShop <=8.1.1 Remote File Deletion via CustomerMessage API
CVE-2023-39530 9.1 - Critical - August 07, 2023

PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete files from the server via the CustomerMessage API. Version 8.1.1 contains a patch for this issue. There are no known workarounds.

Improper Input Validation

PrestaShop <=8.1.1 SQL Injection in BackOffice Product Page
CVE-2023-39524 9.8 - Critical - August 07, 2023

PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, SQL injection possible in the product search field, in BO's product page. Version 8.1.1 contains a patch for this issue. There are no known workarounds.

SQL Injection

SQL injection in Boxtal PrestaShop module >=3.1.10
CVE-2023-30151 9.8 - Critical - July 13, 2023

A SQL injection vulnerability in the Boxtal (envoimoinscher) module for PrestaShop, after version 3.1.10, allows remote attackers to execute arbitrary SQL commands via the `key` GET parameter.

SQL Injection

PrestaShop <2.4.3 length-weight module SQL injection
CVE-2023-31672 9.8 - Critical - June 15, 2023

In the PrestaShop < 2.4.3 module "Length, weight or volume sell" (ailinear) there is a SQL injection vulnerability.

SQL Injection

PrestaShop Postfinance SQLi via postProcess() v<=17.1.13
CVE-2023-31671 9.8 - Critical - June 14, 2023

PrestaShop postfinance <= 17.1.13 is vulnerable to SQL Injection via PostfinanceValidationModuleFrontController::postProcess().

SQL Injection

PrestaShop scfixmyprestashop Blind SQLi via HTTP
CVE-2023-33279 9.8 - Critical - May 25, 2023

In the Store Commander scfixmyprestashop module through 2023-05-09 for PrestaShop, sensitive SQL calls can be executed with a trivial HTTP request and exploited to forge a blind SQL injection.

SQL Injection

Prestashop customexporter <=1.7.20 Incorrect Access Control via download.php
CVE-2023-30199 7.5 - High - May 19, 2023

Prestashop customexporter <= 1.7.20 is vulnerable to Incorrect Access Control via modules/customexporter/downloads/download.php.

Directory traversal

Unknown product vulnerability - duplicate CVE-2023-31508
CVE-2023-31508 - May 11, 2023

** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2020-15178. Reason: This record is a duplicate of CVE-2020-15178. Notes: All CVE users should reference CVE-2020-15178 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.

PrestaShop 8.0.4/1.7.8.9 SQLi Filtering Vulnerability (CVE-2023-30839)
CVE-2023-30839 8.8 - High - April 25, 2023

PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this issue. There are no known workarounds.

SQL Injection

PrestaShop XSS via ValidateCore::isCleanHTML before 8.0.4 / 1.7.8.9
CVE-2023-30838 9.9 - Critical - April 25, 2023

PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, the `ValidateCore::isCleanHTML()` method of Prestashop misses hijackable events which can lead to cross-site scripting (XSS) injection, allowed by the presence of pre-setup `@keyframes` methods. This XSS, which hijacks HTML attributes, can be triggered without any interaction by the visitor/administrator, which makes it as dangerous as a trivial XSS attack. Contrary to other attacks which target HTML attributes and are triggered without user interaction (such as onload / onerror which suffer from a very limited scope), this one can hijack every HTML element, which increases the danger due to a complete HTML elements scope. Versions 8.0.4 and 1.7.8.9 contain a fix for this issue.

XSS

PrestaShop <=8.0.3/1.7.8.8 Filesystem Read via SQL LOAD_FILE (SQLM GRANT)
CVE-2023-30545 6.5 - Medium - April 25, 2023

PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, it is possible for a user with access to the SQL Manager (Advanced Options -> Database) to arbitrarily read any file on the operating system when using SQL function `LOAD_FILE` in a `SELECT` request. This gives the user access to critical information. A patch is available in PrestaShop 8.0.4 and PS 1.7.8.9

SQL Injection

SQLi in Prestashop: AdvancedPopupCreator 1.1.21-1.1.24 via getPopups()
CVE-2023-27032 9.8 - Critical - April 12, 2023

Prestashop advancedpopupcreator v1.1.21 to v1.1.24 was discovered to contain a SQL injection vulnerability via the component AdvancedPopup::getPopups().

SQL Injection

Prestashop Cdesigner v3.1.33.1.8 Code Injection via initContent()
CVE-2023-27033 9.8 - Critical - April 07, 2023

Prestashop cdesigner v3.1.3 to v3.1.8 was discovered to contain a code injection vulnerability via the component CdesignerSaverotateModuleFrontController::initContent().

Unrestricted File Upload

PrestaShop ws_productreviews SQLi <3.6.2
CVE-2023-25206 8.8 - High - March 14, 2023

PrestaShop ws_productreviews < 3.6.2 is vulnerable to SQL Injection.

SQL Injection

PrestaShop CSRF Token Not Cleared on Login (v<8.0.1) Fix in 8.0.1
CVE-2023-25170 8.8 - High - March 13, 2023

PrestaShop is an open source e-commerce web application that, prior to version 8.0.1, is vulnerable to cross-site request forgery (CSRF). When authenticating users, PrestaShop preserves session attributes. Because this does not clear CSRF tokens upon login, this might enable same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. The problem is fixed in version 8.0.1.

Session Riding

Blind SQLi in PrestaShop Stripejs Module <=4.5.5
CVE-2023-23315 9.8 - Critical - March 01, 2023

The PrestaShop e-commerce platform module stripejs contains a Blind SQL injection vulnerability up to version 4.5.5. The method `stripejsValidationModuleFrontController::initContent()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

SQL Injection

Prestashop 1.7.x descarga_etiqueta.php DT Vulnerability (CVE-2022-46639)
CVE-2022-46639 7.5 - High - January 23, 2023

A vulnerability in the descarga_etiqueta.php component of Correos Prestashop 1.7.x allows attackers to execute a directory traversal.

Directory traversal

PrestaShop validators/base.js Regex DOS Vulnerability (CVE-2018-25074)
CVE-2018-25074 7.5 - High - January 11, 2023

A vulnerability was found in Prestaul skeemas and classified as problematic. This issue affects some unknown processing of the file validators/base.js. The manipulation of the argument uri leads to inefficient regular expression complexity. The patch is named 65e94eda62dc8dc148ab3e59aa2ccc086ac448fd. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218003.

ReDoS

PrestaShop 1.7.8.8 Host FS Access Bypass in Upload Dir
CVE-2022-46158 4.3 - Medium - December 08, 2022

PrestaShop is an open-source e-commerce solution. Versions prior to 1.7.8.8 did not properly restrict host filesystem access for users. Users may have been able to view the contents of the upload directory without appropriate permissions. This issue has been addressed and users are advised to upgrade to version 1.7.8.8. There are no known workarounds for this issue.

AuthZ