Skip to main content

PrestaShop The Firmware EUVDEUVD-2026-43335

| CVE-2026-14846 MEDIUM
Improper Neutralization of Formula Elements in a CSV File (CWE-1236)
2026-07-13 INCIBE
4.5
CVSS 4.0 · Vendor: INCIBE
Share

Severity by source

Vendor (INCIBE) PRIMARY
4.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Attacker needs only a regular authenticated account (PR:L) to set the alias; victim interaction (UI:R) and scope change to spreadsheet application (S:C) reflect the formula-execution mechanism.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (INCIBE).

CVSS VectorVendor: INCIBE

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 11:30 vuln.today

DescriptionCVE.org

In version 8.2.1 of PrestaShop, there is a vulnerability relating to the incorrect sanitisation of elements, caused by inadequate validation of the ‘Alias’ parameter in the ‘Update your address’ function. This flaw allows an attacker to inject malicious expressions that are executed when the information is exported using the ‘Get my data in CSV’ tool. Successful exploitation of this vulnerability could facilitate unauthorised access to the victim’s personal data.

AnalysisAI

CSV formula injection in the PrestaShop module 'The Firmware' version 8.2.1 enables an authenticated attacker to inject malicious spreadsheet expressions via the unsanitized 'Alias' parameter in the address update function. When a victim subsequently exports account data using the 'Get my data in CSV' feature and opens the file in a spreadsheet application, the injected formula executes in that application's context, potentially exfiltrating the victim's personal data or executing commands on their workstation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with high-privilege account
Delivery
Inject formula into Alias address field
Exploit
Wait for victim to export CSV data
Execution
Victim opens CSV in spreadsheet app
Persist
Malicious formula executes in victim context
Impact
Victim personal data accessed or exfiltrated

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a high-privilege account on the PrestaShop instance (PR:H per the CVSS 4.0 vector - the exact role level, e.g., shop administrator vs. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:H/UI:A) encodes meaningful risk-reducing constraints: the attacker requires high privileges (PR:H), a specific attack requirement must be met (AT:P), and active user interaction is needed (UI:A - the victim must export and open the CSV file). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with an authenticated account in the PrestaShop store navigates to 'Update your address' and sets the Alias field to a malicious formula such as '=CMD|' /C calc'!A0' or an IMPORTXML data-exfiltration expression. When a store administrator or the account owner later exports account data via 'Get my data in CSV' and opens the file in Microsoft Excel or LibreOffice Calc, the injected formula executes within the spreadsheet application, potentially reading local files or initiating outbound connections to an attacker-controlled server. …
Remediation No vendor-released patch version has been identified in the available data; the INCIBE advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/incorrect-neutralisation-prestashop-firmware should be consulted for current patch status. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43335 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy