Prestashop
by Prestashop
Source repositories
CVEs (93)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-8823 | Cri | 0.68 | 9.8 | 0.52 | Mar 28, 2018 | modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute arbitrary PHP code via the code parameter. | ||
| CVE-2018-10942 | Cri | 0.65 | 9.8 | 0.13 | May 10, 2018 | modules/attributewizardpro/file_upload.php in the Attribute Wizard addon 1.6.9 for PrestaShop 1.4.0.1 through 1.6.1.18 allows remote attackers to execute arbitrary code by uploading a .phtml file. | ||
| CVE-2018-8824 | Cri | 0.64 | 9.8 | 0.01 | May 10, 2018 | modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute a SQL Injection through function calls in the code parameter. | ||
| CVE-2026-44212 | Cri | 0.53 | 9.3 | 0.00 | May 14, 2026 | PrestaShop is an open source e-commerce web application. Prior to 8.2.6 and 9.1.1, there is a stored Cross-Site Scripting (XSS) vulnerability in the PrestaShop back-office Customer Service view. An unauthenticated attacker can submit the public Contact Us form with a malicious… | ||
| CVE-2026-33673 | Hig | 0.42 | 7.6 | 0.00 | Mar 26, 2026 | PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously… | ||
| CVE-2018-5682 | Med | 0.35 | 5.3 | 0.01 | Jan 13, 2018 | PrestaShop 1.7.2.4 allows user enumeration via the Reset Password feature, by noticing which reset attempts do not produce a "This account does not exist" error message. | ||
| CVE-2018-5681 | Med | 0.35 | 5.4 | 0.01 | Jan 13, 2018 | PrestaShop 1.7.2.4 has XSS via source-code editing on the "Pages > Edit page" screen. | ||
| CVE-2025-1230 | Med | 0.31 | 4.8 | 0.00 | Feb 12, 2025 | Stored Cross-Site Scripting (XSS) vulnerability in Prestashop 8.1.7, due to the lack of proper validation of user input through ‘/<admin_directory>/index.php’, affecting the ‘link’ parameter. This vulnerability could allow a remote user to send a specially crafted query… | ||
| CVE-2026-33674 | Low | 0.06 | 2.0 | 0.00 | Mar 26, 2026 | PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 improperly use the validation framework. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available. | ||
| CVE-2021-3110 | 0.06 | — | 0.21 | Jan 20, 2021 | The store system in PrestaShop 1.7.7.0 allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter. | |||
| CVE-2018-19126 | 0.05 | — | 0.23 | Nov 9, 2018 | PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file upload. | |||
| CVE-2018-19125 | 0.04 | — | 0.11 | Nov 9, 2018 | PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to delete an image directory. | |||
| CVE-2018-13784 | Cri | 0.04 | 9.1 | 0.17 | Jul 9, 2018 | PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfish.php. | ||
| CVE-2024-41651 | 0.03 | — | 0.01 | Aug 12, 2024 | An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an… | |||
| CVE-2012-2517 | 0.03 | — | 0.02 | Feb 11, 2020 | Cross-site scripting (XSS) vulnerability in PrestaShop before 1.4.9 allows remote attackers to inject arbitrary web script or HTML via the index of the product[] parameter to ajax.php. | |||
| CVE-2011-4545 | 0.03 | — | 0.04 | Dec 2, 2011 | CRLF injection vulnerability in admin/displayImage.php in Prestashop 1.4.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the name parameter. | |||
| CVE-2011-4544 | 0.03 | — | 0.03 | Dec 1, 2011 | Multiple cross-site scripting (XSS) vulnerabilities in Prestashop before 1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) address or (2) relativ_base_dir parameter to modules/mondialrelay/googlemap.php; the (3) relativ_base_dir, (4) Pays, (5) Ville,… | |||
| CVE-2008-6503 | 0.03 | — | 0.02 | Mar 20, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in PrestaShop 1.1.0.3 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) admin/login.php and (2) order.php. | |||
| CVE-2018-19355 | 0.01 | — | 0.04 | Nov 19, 2018 | modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations… | |||
| CVE-2026-25597 | 0.00 | — | 0.00 | Feb 6, 2026 | PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in… |
- risk 0.68cvss 9.8epss 0.52
modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute arbitrary PHP code via the code parameter.
- risk 0.65cvss 9.8epss 0.13
modules/attributewizardpro/file_upload.php in the Attribute Wizard addon 1.6.9 for PrestaShop 1.4.0.1 through 1.6.1.18 allows remote attackers to execute arbitrary code by uploading a .phtml file.
- risk 0.64cvss 9.8epss 0.01
modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute a SQL Injection through function calls in the code parameter.
- risk 0.53cvss 9.3epss 0.00
PrestaShop is an open source e-commerce web application. Prior to 8.2.6 and 9.1.1, there is a stored Cross-Site Scripting (XSS) vulnerability in the PrestaShop back-office Customer Service view. An unauthenticated attacker can submit the public Contact Us form with a malicious…
- risk 0.42cvss 7.6epss 0.00
PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously…
- risk 0.35cvss 5.3epss 0.01
PrestaShop 1.7.2.4 allows user enumeration via the Reset Password feature, by noticing which reset attempts do not produce a "This account does not exist" error message.
- risk 0.35cvss 5.4epss 0.01
PrestaShop 1.7.2.4 has XSS via source-code editing on the "Pages > Edit page" screen.
- risk 0.31cvss 4.8epss 0.00
Stored Cross-Site Scripting (XSS) vulnerability in Prestashop 8.1.7, due to the lack of proper validation of user input through ‘/<admin_directory>/index.php’, affecting the ‘link’ parameter. This vulnerability could allow a remote user to send a specially crafted query…
- risk 0.06cvss 2.0epss 0.00
PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 improperly use the validation framework. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available.
- CVE-2021-3110Jan 20, 2021risk 0.06cvss —epss 0.21
The store system in PrestaShop 1.7.7.0 allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter.
- CVE-2018-19126Nov 9, 2018risk 0.05cvss —epss 0.23
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file upload.
- CVE-2018-19125Nov 9, 2018risk 0.04cvss —epss 0.11
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to delete an image directory.
- risk 0.04cvss 9.1epss 0.17
PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfish.php.
- CVE-2024-41651Aug 12, 2024risk 0.03cvss —epss 0.01
An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an…
- CVE-2012-2517Feb 11, 2020risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in PrestaShop before 1.4.9 allows remote attackers to inject arbitrary web script or HTML via the index of the product[] parameter to ajax.php.
- CVE-2011-4545Dec 2, 2011risk 0.03cvss —epss 0.04
CRLF injection vulnerability in admin/displayImage.php in Prestashop 1.4.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the name parameter.
- CVE-2011-4544Dec 1, 2011risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in Prestashop before 1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) address or (2) relativ_base_dir parameter to modules/mondialrelay/googlemap.php; the (3) relativ_base_dir, (4) Pays, (5) Ville,…
- CVE-2008-6503Mar 20, 2009risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in PrestaShop 1.1.0.3 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) admin/login.php and (2) order.php.
- CVE-2018-19355Nov 19, 2018risk 0.01cvss —epss 0.04
modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations…
- CVE-2026-25597Feb 6, 2026risk 0.00cvss —epss 0.00
PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in…
Page 1 of 5