CVE-2023-39526

CRITICAL

Prestashop < 1.7.8.10 - SQL Injection

Title source: rule

Description

PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to remote code execution through SQL injection and arbitrary file write in the back office. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds.

Exploits (1)

nomisec WORKING POC 3 stars

by dnkhack · poc

https://github.com/dnkhack/fixcve2023_39526_2023_39527

View Code ZIP pw:eip

References (2)

[Patch] https://github.com/PrestaShop/PrestaShop/commit/817847e2347844a9b6add017581f1932bcd28c09

[Vendor Advisory] https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-gf46-prm4-56pc

Scores

CVSS v3 9.1

EPSS 0.1078

EPSS Percentile 93.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (3)

prestashop/prestashop 8.1.0

prestashop/prestashop < 1.7.8.10

prestashop/prestashop 8.1.0 - 8.1.1Packagist

Published Aug 07, 2023

Tracked Since Feb 18, 2026