CVE-2026-25597

MEDIUM

PrestaShop <8.2.4, <9.0.3 - Info Disclosure

Title source: llm

Description

PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. This vulnerability is fixed in 8.2.4 and 9.0.3.

References (3)

[Vendor Advisory] https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-67v7-3g49-mxh2

[Release Notes] https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.4

[Release Notes] https://github.com/PrestaShop/PrestaShop/releases/tag/9.0.3

Scores

CVSS v3 5.3

EPSS 0.0006

EPSS Percentile 18.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-208

Status published

Products (2)

prestashop/prestashop < 8.2.4

prestashop/prestashop 9.0.0-alpha.1 - 9.0.3Packagist

Published Feb 06, 2026

Tracked Since Feb 18, 2026