Skip to main content

The Firmware

1 CVEs product

Monthly

CVE-2026-14846 MEDIUM This Month

CSV formula injection in the PrestaShop module 'The Firmware' version 8.2.1 enables an authenticated attacker to inject malicious spreadsheet expressions via the unsanitized 'Alias' parameter in the address update function. When a victim subsequently exports account data using the 'Get my data in CSV' feature and opens the file in a spreadsheet application, the injected formula executes in that application's context, potentially exfiltrating the victim's personal data or executing commands on their workstation. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.0 score of 4.5 reflects the high-privilege and user-interaction prerequisites that constrain exploitability.

Code Injection The Firmware
NVD
CVSS 4.0
4.5
EPSS
0.3%
EPSS 0% CVSS 4.5
MEDIUM This Month

CSV formula injection in the PrestaShop module 'The Firmware' version 8.2.1 enables an authenticated attacker to inject malicious spreadsheet expressions via the unsanitized 'Alias' parameter in the address update function. When a victim subsequently exports account data using the 'Get my data in CSV' feature and opens the file in a spreadsheet application, the injected formula executes in that application's context, potentially exfiltrating the victim's personal data or executing commands on their workstation. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.0 score of 4.5 reflects the high-privilege and user-interaction prerequisites that constrain exploitability.

Code Injection The Firmware
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy