CVE-2026-44212
CriticalSummary
In PrestaShop, prior to versions 8.2.6 and 9.1.1, there is a Cross-Site Scripting (XSS) vulnerability in the back-office Customer Service view. An unauthenticated attacker can submit a malicious email address through the Contact Us form, leading to session hijacking and full back-office takeover.
Risk Assessment
This vulnerability poses a significant risk to organizations, allowing attackers to gain control over the management system, which may result in customer data leaks and other malicious activities.
Recommendation
It is recommended to update PrestaShop to version 8.2.6 or 9.1.1 to mitigate this vulnerability. Additionally, conducting a security audit to identify potential threats is advisable.
Original NVD description (English source)
PrestaShop is an open source e-commerce web application. Prior to 8.2.6 and 9.1.1, there is a stored Cross-Site Scripting (XSS) vulnerability in the PrestaShop back-office Customer Service view. An unauthenticated attacker can submit the public Contact Us form with a malicious email address. The payload is stored in the database and executed when a back-office employee opens the affected customer thread, enabling session hijacking and full back-office takeover. This vulnerability is fixed in 8.2.6 and 9.1.1.

