CVE-2018-19126

CRITICAL

PrestaShop 1.6.0.1-1.6.1.22 - Unauthenticated Arbitrary File Upload and Remote Code Execution

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-19126. PoCs published by Fariskhi Vidyan, farisv.

AI-analyzed exploit summary This exploit chains multiple vulnerabilities in PrestaShop to achieve remote code execution via deserialization of a malicious PHAR file. It leverages file upload and directory manipulation to trigger the payload.

Description

PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file upload.

Exploits (2)

exploitdb WORKING POC
by Fariskhi Vidyan · phpwebappsphp
https://www.exploit-db.com/exploits/45964

This exploit chains multiple vulnerabilities in PrestaShop to achieve remote code execution via deserialization of a malicious PHAR file. It leverages file upload and directory manipulation to trigger the payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: PrestaShop 1.6.x <= 1.6.1.23 & 1.7.x <= 1.7.4.4
Auth required
Prerequisites: Valid back-office credentials · File upload access · PHAR extension enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 40 stars
by farisv · poc
https://github.com/farisv/PrestaShop-CVE-2018-19126

This repository contains a functional exploit for CVE-2018-19126, which chains multiple vulnerabilities in PrestaShop to achieve remote code execution via phar deserialization. The exploit automates the process of uploading a malicious phar file, renaming the upload directory, and triggering deserialization.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: PrestaShop 1.6.x before 1.6.1.23 or 1.7.x before 1.7.4.4
Auth required
Prerequisites: PrestaShop Back Office account · PHP with curl extension · phar.readonly = Off in php.ini
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/PrestaShop/PrestaShop/pull/11286
Patch, Third Party Advisory x_refsource_misc
https://github.com/PrestaShop/PrestaShop/pull/11285
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45964/
Release Notes, Third Party Advisory x_refsource_misc
http://build.prestashop.com/news/prestashop-1-7-4-4-1-6-1-23-maintenance-releases/

Scores

CVSS v3 9.8
EPSS 0.2253
EPSS Percentile 97.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (1)
prestashop/prestashop 1.6.0.1 - 1.6.1.23
Published Nov 09, 2018
Tracked Since Feb 18, 2026