CVE-2026-33673

HIGH

PrestaShop has multiple stored XSS vulnerabilities via unprotected Template variables

Title source: cna

Description

PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously existing vulnerability, can exploit unprotected variables in back-office templates. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available.

References (3)

[X_Refsource_Confirm] https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-35pf-37c6-jxjv

[X_Refsource_Misc] https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5

[X_Refsource_Misc] https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0

Scores

CVSS v3 7.6

EPSS 0.0004

EPSS Percentile 11.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Details

CWE

CWE-79

Status published

Products (4)

prestashop/prestashop < 8.2.5

PrestaShop/PrestaShop < 8.2.5

prestashop/prestashop 9.0.0-alpha.1 - 9.1.0Packagist

PrestaShop/PrestaShop >= 9.0.0-alpha.1, < 9.1.0

Published Mar 26, 2026

Tracked Since Mar 27, 2026