PrestaShop XSS in Customer Service (<8.2.6, <9.1.1)
CVE-2026-44212 Published on May 14, 2026
PrestaShop: Stored XSS executable in customer service view
PrestaShop is an open source e-commerce web application. Prior to 8.2.6 and 9.1.1, there is a stored Cross-Site Scripting (XSS) vulnerability in the PrestaShop back-office Customer Service view. An unauthenticated attacker can submit the public Contact Us form with a malicious email address. The payload is stored in the database and executed when a back-office employee opens the affected customer thread, enabling session hijacking and full back-office takeover. This vulnerability is fixed in 8.2.6 and 9.1.1.
Vulnerability Analysis
CVE-2026-44212 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-44212 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2026-44212
Want to know whenever a new CVE is published for PrestaShop? stack.watch will email you.
Affected Versions
PrestaShop:- Version < 8.2.6 is affected.
- Version >= 9.0.0-alpha.1, < 9.1.1 is affected.