PrestaShop 8.2.5/9.1.0 Stored XSS in BO Templates
CVE-2026-33673 Published on March 26, 2026
PrestaShop has multiple stored XSS vulnerabilities via unprotected Template variables
PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously existing vulnerability, can exploit unprotected variables in back-office templates. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available.
Vulnerability Analysis
CVE-2026-33673 can be exploited with network access, requires user interaction and user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-33673 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2026-33673
Want to know whenever a new CVE is published for PrestaShop? stack.watch will email you.
Affected Versions
PrestaShop:- Version >= 9.0.0-alpha.1, < 9.1.0 is affected.
- Version < 8.2.5 is affected.