CVE-2023-39526

CRITICAL

PrestaShop <1.7.8.10, 8.0.5, <8.1.1 - Remote Code Execution via SQL Injection and Arbitrary File Write

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-39526. PoCs published by dnkhack.

AI-analyzed exploit summary This repository contains a functional PrestaShop module that patches CVE-2023-39526 and CVE-2023-39527 by modifying core files to mitigate SQL injection and XSS vulnerabilities. The module applies and removes patches to Validate.php, RequestSql.php, and Db.php.

Description

PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to remote code execution through SQL injection and arbitrary file write in the back office. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds.

Exploits (1)

nomisec WORKING POC 3 stars
by dnkhack · poc
https://github.com/dnkhack/fixcve2023_39526_2023_39527

This repository contains a functional PrestaShop module that patches CVE-2023-39526 and CVE-2023-39527 by modifying core files to mitigate SQL injection and XSS vulnerabilities. The module applies and removes patches to Validate.php, RequestSql.php, and Db.php.

Classification
Working Poc 90%
Attack Type
Sqli | Xss
Complexity
Moderate
Reliability
Reliable
Target: PrestaShop 1.7.x
Auth required
Prerequisites: PrestaShop installation with admin access to install modules
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.1
EPSS 0.1387
EPSS Percentile 94.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-89
Status published
Products (3)
prestashop/prestashop 8.1.0
prestashop/prestashop < 1.7.8.10
prestashop/prestashop 8.1.0 - 8.1.1Packagist
Published Aug 07, 2023
Tracked Since Feb 18, 2026