Vendor CVEs
Prestashop
All CVEs
221 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-8823 | Cri | 0.68 | 9.8 | 0.52 | Mar 28, 2018 | modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute arbitrary PHP code via the code parameter. | ||
| CVE-2018-10942 | Cri | 0.65 | 9.8 | 0.13 | May 10, 2018 | modules/attributewizardpro/file_upload.php in the Attribute Wizard addon 1.6.9 for PrestaShop 1.4.0.1 through 1.6.1.18 allows remote attackers to execute arbitrary code by uploading a .phtml file. | ||
| CVE-2025-69633 | Cri | 0.64 | 9.8 | 0.00 | Feb 13, 2026 | A SQL Injection vulnerability in the Advanced Popup Creator (advancedpopupcreator) module for PrestaShop 1.1.26 through 1.2.6 (Fixed in version 1.2.7) allows remote unauthenticated attackers to execute arbitrary SQL queries via the fromController parameter in the popup… | ||
| CVE-2024-33275 | Cri | 0.64 | 9.8 | 0.01 | Apr 30, 2024 | SQL injection vulnerability in Webbax supernewsletter v.1.4.21 and before allows a remote attacker to escalate privileges via the Super Newsletter module in the product_search.php components. | ||
| CVE-2024-28394 | Cri | 0.64 | 9.8 | 0.01 | Mar 19, 2024 | An issue in Advanced Plugins reportsstatistics v1.3.20 and before allows a remote attacker to execute arbitrary code via the Sales Reports, Statistics, Custom Fields & Export module. | ||
| CVE-2023-36263 | Cri | 0.64 | 9.8 | 0.00 | Oct 31, 2023 | Prestashop opartlimitquantity 1.4.5 and before is vulnerable to SQL Injection. OpartlimitquantityAlertlimitModuleFrontController::displayAjaxPushAlertMessage()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection. | ||
| CVE-2023-34576 | Cri | 0.64 | 9.8 | 0.01 | Sep 21, 2023 | SQL injection vulnerability in updatepos.php in PrestaShop opartfaq through 1.0.3 allows remote attackers to run arbitrary SQL commands via unspedified vector. | ||
| CVE-2023-34575 | Cri | 0.64 | 9.8 | 0.01 | Sep 20, 2023 | SQL injection vulnerability in PrestaShop opartsavecart through 2.0.7 allows remote attackers to run arbitrary SQL commands via OpartSaveCartDefaultModuleFrontController::initContent() and OpartSaveCartDefaultModuleFrontController::displayAjaxSendCartByEmail() methods. | ||
| CVE-2018-8824 | Cri | 0.64 | 9.8 | 0.01 | May 10, 2018 | modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute a SQL Injection through function calls in the code parameter. | ||
| CVE-2026-44212 | Cri | 0.53 | 9.3 | 0.00 | May 14, 2026 | PrestaShop is an open source e-commerce web application. Prior to 8.2.6 and 9.1.1, there is a stored Cross-Site Scripting (XSS) vulnerability in the PrestaShop back-office Customer Service view. An unauthenticated attacker can submit the public Contact Us form with a malicious… | ||
| CVE-2026-39079 | Hig | 0.49 | 7.5 | 0.00 | May 18, 2026 | An issue in prestashop upsshipping all versions through at least 2.4.0 allows a remote attacker to obtain sensitive information via the /modules/upsshipping/logs/, and /modules/upsshipping/lib/UPSBaseApi.php components | ||
| CVE-2024-36682 | Hig | 0.49 | 7.5 | 0.00 | Jun 24, 2024 | In the module "Theme settings" (pk_themesettings) <= 1.8.8 from Promokit.eu for PrestaShop, a guest can download all email collected while SHOP is in maintenance mode. Due to a lack of permissions control, a guest can access the txt file which collect email when maintenance is… | ||
| CVE-2024-33270 | Hig | 0.49 | 7.5 | 0.01 | Apr 30, 2024 | An issue in FME Modules fileuploads v.2.0.3 and before and fixed in v2.0.4 allows a remote attacker to obtain sensitive information via the uploadfiles.php component. | ||
| CVE-2026-33673 | Hig | 0.42 | 7.6 | 0.00 | Mar 26, 2026 | PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously… | ||
| CVE-2023-30148 | Med | 0.40 | 6.1 | 0.00 | Oct 14, 2023 | Multiple Stored Cross Site Scripting (XSS) vulnerabilities in Opart opartmultihtmlblock before version 2.0.12 and Opart multihtmlblock* version 1.0.0, allows remote authenticated users to inject arbitrary web script or HTML via the body_text or body_text_rude field in… | ||
| CVE-2018-5682 | Med | 0.35 | 5.3 | 0.01 | Jan 13, 2018 | PrestaShop 1.7.2.4 allows user enumeration via the Reset Password feature, by noticing which reset attempts do not produce a "This account does not exist" error message. | ||
| CVE-2018-5681 | Med | 0.35 | 5.4 | 0.01 | Jan 13, 2018 | PrestaShop 1.7.2.4 has XSS via source-code editing on the "Pages > Edit page" screen. | ||
| CVE-2025-24027 | Med | 0.33 | 6.2 | 0.00 | Jan 22, 2025 | ps_contactinfo, a PrestaShop module for displaying store contact information, has a cross-site scripting (XSS) vulnerability in versions up to and including 3.3.2. This can not be exploited in a fresh install of PrestaShop, only shops made vulnerable by third party modules are… | ||
| CVE-2025-1230 | Med | 0.31 | 4.8 | 0.00 | Feb 12, 2025 | Stored Cross-Site Scripting (XSS) vulnerability in Prestashop 8.1.7, due to the lack of proper validation of user input through ‘/<admin_directory>/index.php’, affecting the ‘link’ parameter. This vulnerability could allow a remote user to send a specially crafted query… | ||
| CVE-2023-45375 | 0.07 | — | 0.38 | Oct 17, 2023 | In the module "PireosPay" (pireospay) before version 1.7.10 from 01generator.com for PrestaShop, a guest can perform SQL injection via `PireosPayValidationModuleFrontController::postProcess().` | |||
| CVE-2023-27640 | 0.07 | — | 0.04 | Jun 1, 2023 | An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with the POST parameter type in the /tshirtecommerce/fonts.php endpoint, to allow a remote attacker to traverse directories on the system in… | |||
| CVE-2023-27639 | 0.07 | — | 0.04 | Jun 1, 2023 | An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with the POST parameter file_name in the tshirtecommerce/ajax.php?type=svg endpoint, to allow a remote attacker to traverse directories on… | |||
| CVE-2023-27034 | 0.07 | — | 0.59 | Mar 23, 2023 | PrestaShop jmsblog 2.5.5 was discovered to contain a SQL injection vulnerability. | |||
| CVE-2022-22897 | 0.07 | — | 0.11 | Aug 29, 2022 | A SQL injection vulnerability in the product_all_one_img and image_product parameters of the ApolloTheme AP PageBuilder component through 2.4.4 for PrestaShop allows unauthenticated attackers to exfiltrate database data. | |||
| CVE-2026-33674 | Low | 0.06 | 2.0 | 0.00 | Mar 26, 2026 | PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 improperly use the validation framework. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available. | ||
| CVE-2023-46347 | 0.06 | — | 0.50 | Oct 25, 2023 | In the module "Step by Step products Pack" (ndk_steppingpack) version 1.5.6 and before from NDK Design for PrestaShop, a guest can perform SQL injection. The method `NdkSpack::getPacks()` has sensitive SQL calls that can be executed with a trivial http call and exploited to… | |||
| CVE-2023-39677 | 0.06 | — | 0.31 | Sep 20, 2023 | MyPrestaModules Prestashop Module v6.2.9 and UpdateProducts Prestashop Module v3.6.9 were discovered to contain a PHPInfo information disclosure vulnerability via send.php. | |||
| CVE-2023-27847 | 0.06 | — | 0.05 | Mar 27, 2023 | SQL injection vulnerability found in PrestaShop xipblog v.2.0.1 and before allow a remote attacker to gain privileges via the xipcategoryclass and xippostsclass components. | |||
| CVE-2021-3110 | 0.06 | — | 0.21 | Jan 20, 2021 | The store system in PrestaShop 1.7.7.0 allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter. | |||
| CVE-2023-30194 | 0.05 | — | 0.32 | May 10, 2023 | Prestashop posstaticfooter <= 1.0.0 is vulnerable to SQL Injection via posstaticfooter::getPosCurrentHook(). | |||
| CVE-2018-19126 | 0.05 | — | 0.23 | Nov 9, 2018 | PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file upload. | |||
| CVE-2023-30150 | 0.04 | — | 0.04 | Jun 14, 2023 | PrestaShop leocustomajax 1.0 and 1.0.0 are vulnerable to SQL Injection via modules/leocustomajax/leoajax.php. | |||
| CVE-2018-19125 | 0.04 | — | 0.11 | Nov 9, 2018 | PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to delete an image directory. | |||
| CVE-2018-13784 | Cri | 0.04 | 9.1 | 0.17 | Jul 9, 2018 | PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfish.php. | ||
| CVE-2014-2009 | 0.04 | — | 0.07 | Sep 12, 2014 | The mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to obtain credentials, the installation path, and other sensitive information via a direct request to api/curllog.log. | |||
| CVE-2024-41651 | 0.03 | — | 0.01 | Aug 12, 2024 | An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an… | |||
| CVE-2023-30198 | 0.03 | — | 0.06 | Jun 12, 2023 | Prestashop winbizpayment <= 1.0.2 is vulnerable to Incorrect Access Control via modules/winbizpayment/downloads/download.php. | |||
| CVE-2023-27032 | 0.03 | — | 0.03 | Apr 12, 2023 | Prestashop advancedpopupcreator v1.1.21 to v1.1.24 was discovered to contain a SQL injection vulnerability via the component AdvancedPopup::getPopups(). | |||
| CVE-2012-2517 | 0.03 | — | 0.02 | Feb 11, 2020 | Cross-site scripting (XSS) vulnerability in PrestaShop before 1.4.9 allows remote attackers to inject arbitrary web script or HTML via the index of the product[] parameter to ajax.php. | |||
| CVE-2011-4545 | 0.03 | — | 0.04 | Dec 2, 2011 | CRLF injection vulnerability in admin/displayImage.php in Prestashop 1.4.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the name parameter. | |||
| CVE-2011-4544 | 0.03 | — | 0.03 | Dec 1, 2011 | Multiple cross-site scripting (XSS) vulnerabilities in Prestashop before 1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) address or (2) relativ_base_dir parameter to modules/mondialrelay/googlemap.php; the (3) relativ_base_dir, (4) Pays, (5) Ville,… | |||
| CVE-2008-6503 | 0.03 | — | 0.02 | Mar 20, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in PrestaShop 1.1.0.3 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) admin/login.php and (2) order.php. | |||
| CVE-2023-30149 | 0.01 | — | 0.18 | Jun 2, 2023 | SQL injection vulnerability in the City Autocomplete (cityautocomplete) module from ebewe.net for PrestaShop, prior to version 1.8.12 (for PrestaShop version 1.5/1.6) or prior to 2.0.3 (for PrestaShop version 1.7), allows remote attackers to execute arbitrary SQL commands via… | |||
| CVE-2018-19355 | 0.01 | — | 0.04 | Nov 19, 2018 | modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations… | |||
| CVE-2026-25597 | 0.00 | — | 0.00 | Feb 6, 2026 | PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in… | |||
| CVE-2025-61924 | 0.00 | — | 0.00 | Oct 16, 2025 | PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the Target PayPal merchant account hijacking from backoffice due to wrong usage of the PHP array_search(). The vulnerability is fixed in versions 4.4.1… | |||
| CVE-2025-61923 | 0.00 | — | 0.01 | Oct 16, 2025 | PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the backoffice is missing validation on input resulting in a directory traversal and arbitrary file disclosure. The vulnerability is fixed in versions… | |||
| CVE-2025-61922 | 0.00 | — | 0.00 | Oct 16, 2025 | PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation on the Express Checkout feature allows silent login, enabling account takeover via email. The… | |||
| CVE-2025-51586 | 0.00 | — | 0.01 | Sep 8, 2025 | An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the reset password feature. | |||
| CVE-2025-25692 | 0.00 | — | 0.01 | Jul 30, 2025 | A PHAR deserialization vulnerability in the _getHeaders function of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request. |
- risk 0.68cvss 9.8epss 0.52
modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute arbitrary PHP code via the code parameter.
- risk 0.65cvss 9.8epss 0.13
modules/attributewizardpro/file_upload.php in the Attribute Wizard addon 1.6.9 for PrestaShop 1.4.0.1 through 1.6.1.18 allows remote attackers to execute arbitrary code by uploading a .phtml file.
- risk 0.64cvss 9.8epss 0.00
A SQL Injection vulnerability in the Advanced Popup Creator (advancedpopupcreator) module for PrestaShop 1.1.26 through 1.2.6 (Fixed in version 1.2.7) allows remote unauthenticated attackers to execute arbitrary SQL queries via the fromController parameter in the popup…
- risk 0.64cvss 9.8epss 0.01
SQL injection vulnerability in Webbax supernewsletter v.1.4.21 and before allows a remote attacker to escalate privileges via the Super Newsletter module in the product_search.php components.
- risk 0.64cvss 9.8epss 0.01
An issue in Advanced Plugins reportsstatistics v1.3.20 and before allows a remote attacker to execute arbitrary code via the Sales Reports, Statistics, Custom Fields & Export module.
- risk 0.64cvss 9.8epss 0.00
Prestashop opartlimitquantity 1.4.5 and before is vulnerable to SQL Injection. OpartlimitquantityAlertlimitModuleFrontController::displayAjaxPushAlertMessage()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.
- risk 0.64cvss 9.8epss 0.01
SQL injection vulnerability in updatepos.php in PrestaShop opartfaq through 1.0.3 allows remote attackers to run arbitrary SQL commands via unspedified vector.
- risk 0.64cvss 9.8epss 0.01
SQL injection vulnerability in PrestaShop opartsavecart through 2.0.7 allows remote attackers to run arbitrary SQL commands via OpartSaveCartDefaultModuleFrontController::initContent() and OpartSaveCartDefaultModuleFrontController::displayAjaxSendCartByEmail() methods.
- risk 0.64cvss 9.8epss 0.01
modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute a SQL Injection through function calls in the code parameter.
- risk 0.53cvss 9.3epss 0.00
PrestaShop is an open source e-commerce web application. Prior to 8.2.6 and 9.1.1, there is a stored Cross-Site Scripting (XSS) vulnerability in the PrestaShop back-office Customer Service view. An unauthenticated attacker can submit the public Contact Us form with a malicious…
- risk 0.49cvss 7.5epss 0.00
An issue in prestashop upsshipping all versions through at least 2.4.0 allows a remote attacker to obtain sensitive information via the /modules/upsshipping/logs/, and /modules/upsshipping/lib/UPSBaseApi.php components
- risk 0.49cvss 7.5epss 0.00
In the module "Theme settings" (pk_themesettings) <= 1.8.8 from Promokit.eu for PrestaShop, a guest can download all email collected while SHOP is in maintenance mode. Due to a lack of permissions control, a guest can access the txt file which collect email when maintenance is…
- risk 0.49cvss 7.5epss 0.01
An issue in FME Modules fileuploads v.2.0.3 and before and fixed in v2.0.4 allows a remote attacker to obtain sensitive information via the uploadfiles.php component.
- risk 0.42cvss 7.6epss 0.00
PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously…
- risk 0.40cvss 6.1epss 0.00
Multiple Stored Cross Site Scripting (XSS) vulnerabilities in Opart opartmultihtmlblock before version 2.0.12 and Opart multihtmlblock* version 1.0.0, allows remote authenticated users to inject arbitrary web script or HTML via the body_text or body_text_rude field in…
- risk 0.35cvss 5.3epss 0.01
PrestaShop 1.7.2.4 allows user enumeration via the Reset Password feature, by noticing which reset attempts do not produce a "This account does not exist" error message.
- risk 0.35cvss 5.4epss 0.01
PrestaShop 1.7.2.4 has XSS via source-code editing on the "Pages > Edit page" screen.
- risk 0.33cvss 6.2epss 0.00
ps_contactinfo, a PrestaShop module for displaying store contact information, has a cross-site scripting (XSS) vulnerability in versions up to and including 3.3.2. This can not be exploited in a fresh install of PrestaShop, only shops made vulnerable by third party modules are…
- risk 0.31cvss 4.8epss 0.00
Stored Cross-Site Scripting (XSS) vulnerability in Prestashop 8.1.7, due to the lack of proper validation of user input through ‘/<admin_directory>/index.php’, affecting the ‘link’ parameter. This vulnerability could allow a remote user to send a specially crafted query…
- CVE-2023-45375Oct 17, 2023risk 0.07cvss —epss 0.38
In the module "PireosPay" (pireospay) before version 1.7.10 from 01generator.com for PrestaShop, a guest can perform SQL injection via `PireosPayValidationModuleFrontController::postProcess().`
- CVE-2023-27640Jun 1, 2023risk 0.07cvss —epss 0.04
An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with the POST parameter type in the /tshirtecommerce/fonts.php endpoint, to allow a remote attacker to traverse directories on the system in…
- CVE-2023-27639Jun 1, 2023risk 0.07cvss —epss 0.04
An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with the POST parameter file_name in the tshirtecommerce/ajax.php?type=svg endpoint, to allow a remote attacker to traverse directories on…
- CVE-2023-27034Mar 23, 2023risk 0.07cvss —epss 0.59
PrestaShop jmsblog 2.5.5 was discovered to contain a SQL injection vulnerability.
- CVE-2022-22897Aug 29, 2022risk 0.07cvss —epss 0.11
A SQL injection vulnerability in the product_all_one_img and image_product parameters of the ApolloTheme AP PageBuilder component through 2.4.4 for PrestaShop allows unauthenticated attackers to exfiltrate database data.
- risk 0.06cvss 2.0epss 0.00
PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 improperly use the validation framework. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available.
- CVE-2023-46347Oct 25, 2023risk 0.06cvss —epss 0.50
In the module "Step by Step products Pack" (ndk_steppingpack) version 1.5.6 and before from NDK Design for PrestaShop, a guest can perform SQL injection. The method `NdkSpack::getPacks()` has sensitive SQL calls that can be executed with a trivial http call and exploited to…
- CVE-2023-39677Sep 20, 2023risk 0.06cvss —epss 0.31
MyPrestaModules Prestashop Module v6.2.9 and UpdateProducts Prestashop Module v3.6.9 were discovered to contain a PHPInfo information disclosure vulnerability via send.php.
- CVE-2023-27847Mar 27, 2023risk 0.06cvss —epss 0.05
SQL injection vulnerability found in PrestaShop xipblog v.2.0.1 and before allow a remote attacker to gain privileges via the xipcategoryclass and xippostsclass components.
- CVE-2021-3110Jan 20, 2021risk 0.06cvss —epss 0.21
The store system in PrestaShop 1.7.7.0 allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter.
- CVE-2023-30194May 10, 2023risk 0.05cvss —epss 0.32
Prestashop posstaticfooter <= 1.0.0 is vulnerable to SQL Injection via posstaticfooter::getPosCurrentHook().
- CVE-2018-19126Nov 9, 2018risk 0.05cvss —epss 0.23
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file upload.
- CVE-2023-30150Jun 14, 2023risk 0.04cvss —epss 0.04
PrestaShop leocustomajax 1.0 and 1.0.0 are vulnerable to SQL Injection via modules/leocustomajax/leoajax.php.
- CVE-2018-19125Nov 9, 2018risk 0.04cvss —epss 0.11
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to delete an image directory.
- risk 0.04cvss 9.1epss 0.17
PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfish.php.
- CVE-2014-2009Sep 12, 2014risk 0.04cvss —epss 0.07
The mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to obtain credentials, the installation path, and other sensitive information via a direct request to api/curllog.log.
- CVE-2024-41651Aug 12, 2024risk 0.03cvss —epss 0.01
An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an…
- CVE-2023-30198Jun 12, 2023risk 0.03cvss —epss 0.06
Prestashop winbizpayment <= 1.0.2 is vulnerable to Incorrect Access Control via modules/winbizpayment/downloads/download.php.
- CVE-2023-27032Apr 12, 2023risk 0.03cvss —epss 0.03
Prestashop advancedpopupcreator v1.1.21 to v1.1.24 was discovered to contain a SQL injection vulnerability via the component AdvancedPopup::getPopups().
- CVE-2012-2517Feb 11, 2020risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in PrestaShop before 1.4.9 allows remote attackers to inject arbitrary web script or HTML via the index of the product[] parameter to ajax.php.
- CVE-2011-4545Dec 2, 2011risk 0.03cvss —epss 0.04
CRLF injection vulnerability in admin/displayImage.php in Prestashop 1.4.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the name parameter.
- CVE-2011-4544Dec 1, 2011risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in Prestashop before 1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) address or (2) relativ_base_dir parameter to modules/mondialrelay/googlemap.php; the (3) relativ_base_dir, (4) Pays, (5) Ville,…
- CVE-2008-6503Mar 20, 2009risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in PrestaShop 1.1.0.3 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) admin/login.php and (2) order.php.
- CVE-2023-30149Jun 2, 2023risk 0.01cvss —epss 0.18
SQL injection vulnerability in the City Autocomplete (cityautocomplete) module from ebewe.net for PrestaShop, prior to version 1.8.12 (for PrestaShop version 1.5/1.6) or prior to 2.0.3 (for PrestaShop version 1.7), allows remote attackers to execute arbitrary SQL commands via…
- CVE-2018-19355Nov 19, 2018risk 0.01cvss —epss 0.04
modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations…
- CVE-2026-25597Feb 6, 2026risk 0.00cvss —epss 0.00
PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in…
- CVE-2025-61924Oct 16, 2025risk 0.00cvss —epss 0.00
PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the Target PayPal merchant account hijacking from backoffice due to wrong usage of the PHP array_search(). The vulnerability is fixed in versions 4.4.1…
- CVE-2025-61923Oct 16, 2025risk 0.00cvss —epss 0.01
PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the backoffice is missing validation on input resulting in a directory traversal and arbitrary file disclosure. The vulnerability is fixed in versions…
- CVE-2025-61922Oct 16, 2025risk 0.00cvss —epss 0.00
PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation on the Express Checkout feature allows silent login, enabling account takeover via email. The…
- CVE-2025-51586Sep 8, 2025risk 0.00cvss —epss 0.01
An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the reset password feature.
- CVE-2025-25692Jul 30, 2025risk 0.00cvss —epss 0.01
A PHAR deserialization vulnerability in the _getHeaders function of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request.
Page 1 of 5