Description
PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. This vulnerability is fixed in 8.2.4 and 9.0.3.
Published: 2026-02-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: User Enumeration via Timing
Action: Apply Update
AI Analysis

Impact

PrestaShop prior to releases 8.2.4 and 9.0.3 contains a timing side‑channel flaw in its front‑office login form that allows an attacker to determine whether a customer account exists by measuring response delays. The vulnerability is classified as CWE‑208 and can leak customer identities, a form of information disclosure that may enable targeted credential‑stuffing or phishing. While it does not provide code execution or direct data exfiltration, the knowledge of valid accounts can be leveraged in subsequent attacks.

Affected Systems

Affected systems include PrestaShop 8.x releases up to 8.2.3 and PrestaShop 9.x releases up to 9.0.2. Any installation using those versions is vulnerable until it is upgraded to 8.2.4 or later, or to 9.0.3 or later.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS shows less than 1% probability of exploitation, and the vulnerability is not listed in CISA's KEV catalog, suggesting limited current exploitation. The attack vector is a remote web request to the front‑office login endpoint and requires no privileged access. An attacker can send repeated requests with different user names and compare response times to infer the existence of accounts, making the attack straightforward for automated scanners.

Generated by OpenCVE AI on April 18, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to PrestaShop 8.2.4 or later, or to 9.0.3 or later.
  • Implement rate limiting or CAPTCHA protection on the front‑office login form to impede automated timing attacks.
  • If an immediate upgrade is not feasible, consider disabling or restricting the public login form and enforce tighter access controls for authentication.

Generated by OpenCVE AI on April 18, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-67v7-3g49-mxh2 PrestaShop affected by time based enumeration in FO login form
History

Thu, 19 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Prestashop
Prestashop prestashop
Vendors & Products Prestashop
Prestashop prestashop

Fri, 06 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. This vulnerability is fixed in 8.2.4 and 9.0.3.
Title PrestaShop has a time based enumeration in FO login form
Weaknesses CWE-208
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Prestashop Prestashop
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-09T15:27:54.047Z

Reserved: 2026-02-03T01:02:46.717Z

Link: CVE-2026-25597

cve-icon Vulnrichment

Updated: 2026-02-09T15:22:01.809Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T21:16:17.933

Modified: 2026-02-19T17:27:30.690

Link: CVE-2026-25597

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:30:45Z

Weaknesses