Severity by source
AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Impact
Multiple stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO: an attacker who can inject data into the database, via limited back-office access or a previously existing vulnerability, can exploit unprotected variables in back-office templates.
Patches
Patched on 8.2.5 and 9.1.0
Workarounds
None
References
None
AnalysisAI
PrestaShop contains multiple stored Cross-Site Scripting (XSS) vulnerabilities in the back-office (BO) administration panel. An attacker with limited back-office access or who has exploited a separate vulnerability to inject data into the database can exploit unprotected template variables to execute arbitrary JavaScript in administrators' browsers. The CVSS score of 7.7 reflects high attack complexity and the requirement for high privileges, though no evidence of active exploitation (KEV) or public proof-of-concept is currently available.
Technical ContextAI
PrestaShop is an open-source e-commerce platform built on PHP. The affected components are pkg:composer/prestashop_prestashop packages, specifically the back-office administrative interface templates. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating that user-controlled data stored in the database is rendered in back-office templates without proper sanitization or output encoding. This stored XSS variant is particularly dangerous because the malicious payload persists in the database and executes whenever an administrator views the affected page, enabling session hijacking, privilege escalation within the administrative panel, or further system compromise.
RemediationAI
Upgrade PrestaShop to version 8.2.5 or later for 8.x installations, or to version 9.1.0 or later for 9.x installations. Download and installation instructions are available in the official release announcements at https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5 and https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0. No workarounds are available according to the vendor advisory at https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-35pf-37c6-jxjv, making patching the only effective remediation. As an interim defense-in-depth measure until patching is complete, organizations should review and minimize back-office user privileges, audit database access logs for unauthorized modifications, and implement Content Security Policy (CSP) headers to limit the impact of potential XSS exploitation.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16441