Skip to main content

Microsoft EUVDEUVD-2026-16441

| CVE-2026-33673 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 https://github.com/PrestaShop/PrestaShop
7.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.6 HIGH
AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 19:47 euvd
EUVD-2026-16441
Analysis Generated
Mar 25, 2026 - 19:47 vuln.today
CVE Published
Mar 25, 2026 - 19:41 nvd
HIGH 7.6

DescriptionGitHub Advisory

Impact

Multiple stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO: an attacker who can inject data into the database, via limited back-office access or a previously existing vulnerability, can exploit unprotected variables in back-office templates.

Patches

Patched on 8.2.5 and 9.1.0

Workarounds

None

References

None

AnalysisAI

PrestaShop contains multiple stored Cross-Site Scripting (XSS) vulnerabilities in the back-office (BO) administration panel. An attacker with limited back-office access or who has exploited a separate vulnerability to inject data into the database can exploit unprotected template variables to execute arbitrary JavaScript in administrators' browsers. The CVSS score of 7.7 reflects high attack complexity and the requirement for high privileges, though no evidence of active exploitation (KEV) or public proof-of-concept is currently available.

Technical ContextAI

PrestaShop is an open-source e-commerce platform built on PHP. The affected components are pkg:composer/prestashop_prestashop packages, specifically the back-office administrative interface templates. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating that user-controlled data stored in the database is rendered in back-office templates without proper sanitization or output encoding. This stored XSS variant is particularly dangerous because the malicious payload persists in the database and executes whenever an administrator views the affected page, enabling session hijacking, privilege escalation within the administrative panel, or further system compromise.

RemediationAI

Upgrade PrestaShop to version 8.2.5 or later for 8.x installations, or to version 9.1.0 or later for 9.x installations. Download and installation instructions are available in the official release announcements at https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5 and https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0. No workarounds are available according to the vendor advisory at https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-35pf-37c6-jxjv, making patching the only effective remediation. As an interim defense-in-depth measure until patching is complete, organizations should review and minimize back-office user privileges, audit database access logs for unauthorized modifications, and implement Content Security Policy (CSP) headers to limit the impact of potential XSS exploitation.

Share

EUVD-2026-16441 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy