CVE Catalog

CVE-2026-44212

Critical
Published: Translated: NVD NIST

Summary

In PrestaShop, prior to versions 8.2.6 and 9.1.1, there is a Cross-Site Scripting (XSS) vulnerability in the back-office Customer Service view. An unauthenticated attacker can submit a malicious email address through the Contact Us form, leading to session hijacking and full back-office takeover.

Risk Assessment

This vulnerability poses a significant risk to organizations, allowing attackers to gain control over the management system, which may result in customer data leaks and other malicious activities.

Recommendation

It is recommended to update PrestaShop to version 8.2.6 or 9.1.1 to mitigate this vulnerability. Additionally, conducting a security audit to identify potential threats is advisable.

Original NVD description (English source)

PrestaShop is an open source e-commerce web application. Prior to 8.2.6 and 9.1.1, there is a stored Cross-Site Scripting (XSS) vulnerability in the PrestaShop back-office Customer Service view. An unauthenticated attacker can submit the public Contact Us form with a malicious email address. The payload is stored in the database and executed when a back-office employee opens the affected customer thread, enabling session hijacking and full back-office takeover. This vulnerability is fixed in 8.2.6 and 9.1.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS