Skip to main content

PrestaShop EUVDEUVD-2026-30481

| CVE-2026-44212 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-05-08 https://github.com/PrestaShop/PrestaShop GHSA-w9f3-qc75-qgx9
9.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 08, 2026 - 17:15 vuln.today
Analysis Generated
May 08, 2026 - 17:15 vuln.today
CVE Published
May 08, 2026 - 16:54 nvd
CRITICAL 9.3

DescriptionGitHub Advisory

Impact

This is a stored Cross-site Scripting (XSS) vulnerability in the PrestaShop back-office Customer Service view.

An unauthenticated attacker can submit the public Contact Us form with a malicious email address. The payload is stored in the database and executed when a back-office employee opens the affected customer thread, enabling session hijacking and full back-office takeover.

Patches

Patched in PrestaShop 8.2.6 and 9.1.1.

Workarounds

None.

Resources

  • Reported by Savio at Doyensec (anthropic@doyensec.com) in collaboration with Anthropic Research.

AnalysisAI

Stored XSS in PrestaShop back-office Customer Service enables unauthenticated attackers to achieve full back-office takeover via malicious Contact Us form submissions. The vulnerability affects PrestaShop versions prior to 8.2.6 and 9.0.0-9.1.0, with patches released in versions 8.2.6 and 9.1.1. Despite the 9.3 CVSS score reflecting critical severity due to network attack vector, low complexity, and scope change, the CVSS UI:R requirement (user interaction) means exploitation requires a back-office employee to open the malicious customer thread. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread active exploitation despite the critical impact potential.

Technical ContextAI

This is a CWE-79 stored cross-site scripting vulnerability in PrestaShop's back-office Customer Service module. PrestaShop is an open-source e-commerce platform built on PHP. The vulnerability exists in the customer thread rendering logic within the administrative interface. When processing Contact Us form submissions, PrestaShop fails to properly sanitize the email address field before storing it in the database. Subsequently, when administrative users view customer service threads, the application retrieves and renders this unsanitized email field without proper output encoding, causing malicious JavaScript payloads to execute in the context of the administrator's browser session. The CPE identifiers pkg:composer/prestashop/prestashop confirm this affects the core PrestaShop application distributed via Composer package manager. The stored nature of this XSS makes it more dangerous than reflected XSS, as the payload persists and can affect multiple administrative users over time.

RemediationAI

Upgrade immediately to PrestaShop 8.2.6 (for 8.x installations) or PrestaShop 9.1.1 (for 9.x installations) as documented in GitHub Security Advisory GHSA-w9f3-qc75-qgx9 at https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-w9f3-qc75-qgx9. The vendor explicitly states no workarounds exist, making patching the only effective remediation. As an interim compensating control until patching is complete, restrict access to the back-office Customer Service interface to trusted networks only via IP allowlisting or VPN requirement, which reduces attack surface by preventing arbitrary internet users from accessing the vulnerable view even if malicious payloads are submitted; however, this does not prevent payload injection via the public Contact Us form and only delays exploitation. Additionally, implement Content Security Policy headers on back-office pages to restrict inline script execution, though this may interfere with legitimate PrestaShop administrative functionality and requires testing. Train administrative staff not to open customer service threads from untrusted or suspicious contact form submissions until patching is complete, though this is operationally impractical for active customer service operations. These compensating controls provide limited risk reduction and should not replace immediate patching.

Share

EUVD-2026-30481 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy