Description
PrestaShop is an open source e-commerce web application. Prior to 8.2.6 and 9.1.1, there is a stored Cross-Site Scripting (XSS) vulnerability in the PrestaShop back-office Customer Service view. An unauthenticated attacker can submit the public Contact Us form with a malicious email address. The payload is stored in the database and executed when a back-office employee opens the affected customer thread, enabling session hijacking and full back-office takeover. This vulnerability is fixed in 8.2.6 and 9.1.1.
Published: 2026-05-14
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PrestaShop versions before 8.2.6 and 9.1.1 contain a stored XSS flaw in the Customer Service view. An unauthenticated attacker can submit a malicious email address through the public Contact Us form; the payload is stored in the database and executed when a back‑office employee opens the related customer thread. The attack can hijack the employee’s session and grant the attacker full control of the back office, compromising confidentiality, integrity, and availability of store data.

Affected Systems

The vulnerability affects all PrestaShop releases older than 8.2.6 and 9.1.1. Any installation of those versions that has not applied the official fix is vulnerable.

Risk and Exploitability

The CVSS score of 9.3 signals a critical severity. Although no EPSS score is listed, the flaw can be exploited with only a web request and does not require authentication to submit the form. The vulnerability is not yet listed in the CISA KEV catalog, but the high CVSS and ease of trigger mean it is a high‑risk issue for exposed e‑commerce sites.

Generated by OpenCVE AI on May 14, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to PrestaShop 8.2.6 or later, or 9.1.1 or later, where the flaw is fixed
  • Validate and sanitize any input that can appear in the Customer Service thread, especially email addresses
  • Implement a Content Security Policy that restricts inline scripts in the back‑office interface

Generated by OpenCVE AI on May 14, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w9f3-qc75-qgx9 PrestaShop has a stored XSS executable in customer service view
History

Fri, 15 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Prestashop
Prestashop prestashop
Vendors & Products Prestashop
Prestashop prestashop

Thu, 14 May 2026 21:15:00 +0000

Type Values Removed Values Added
Description PrestaShop is an open source e-commerce web application. Prior to 8.2.6 and 9.1.1, there is a stored Cross-Site Scripting (XSS) vulnerability in the PrestaShop back-office Customer Service view. An unauthenticated attacker can submit the public Contact Us form with a malicious email address. The payload is stored in the database and executed when a back-office employee opens the affected customer thread, enabling session hijacking and full back-office takeover. This vulnerability is fixed in 8.2.6 and 9.1.1.
Title PrestaShop: Stored XSS executable in customer service view
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Prestashop Prestashop
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T13:34:09.904Z

Reserved: 2026-05-05T15:13:47.571Z

Link: CVE-2026-44212

cve-icon Vulnrichment

Updated: 2026-05-15T13:34:04.403Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T21:16:46.540

Modified: 2026-05-15T14:30:03.170

Link: CVE-2026-44212

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T22:30:25Z

Weaknesses