CVE-2026-33673
Received Received - Intake

Stored XSS in PrestaShop Back Office Allows Data Injection

Vulnerability report for CVE-2026-33673, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-26

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description

PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously existing vulnerability, can exploit unprotected variables in back-office templates. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-26
Last Modified
2026-04-01
Generated
2026-07-06
AI Q&A
2026-03-27
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
prestashop prestashop to 8.2.5 (exc)
prestashop prestashop From 9.0.0 (inc) to 9.1.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects PrestaShop, an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) attacks in the back-office (BO). An attacker who can inject data into the database, either through limited back-office access or by exploiting a previously existing vulnerability, can exploit unprotected variables in back-office templates to execute malicious scripts.

Impact Analysis

The impact of this vulnerability is significant as it allows an attacker to execute arbitrary scripts in the context of the back-office interface. This can lead to complete compromise of confidentiality, integrity, and availability of the affected system, as indicated by the CVSS score of 7.6 with high impact on confidentiality, integrity, and availability.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade PrestaShop to version 8.2.5 or 9.1.0, as these versions contain the fix for the stored Cross-Site Scripting (XSS) vulnerabilities in the back-office.

No known workarounds are available, so applying the official patch by upgrading is the immediate recommended action.

Compliance Impact

The vulnerability is a stored Cross-Site Scripting (XSS) issue in PrestaShop versions prior to 8.2.5 and 9.1.0, which allows attackers to inject malicious scripts via the back-office interface.

Such vulnerabilities can lead to unauthorized access, data manipulation, or data leakage, potentially compromising the confidentiality and integrity of personal or sensitive data.

This can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

However, the provided information does not explicitly detail the compliance impact or specific regulatory implications.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33673. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart