CVE-2026-33673
Stored XSS in PrestaShop Back Office Allows Data Injection
Publication date: 2026-03-26
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| prestashop | prestashop | to 8.2.5 (exc) |
| prestashop | prestashop | From 9.0.0 (inc) to 9.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a stored Cross-Site Scripting (XSS) issue in PrestaShop versions prior to 8.2.5 and 9.1.0, which allows attackers to inject malicious scripts via the back-office interface.
Such vulnerabilities can lead to unauthorized access, data manipulation, or data leakage, potentially compromising the confidentiality and integrity of personal or sensitive data.
This can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.
However, the provided information does not explicitly detail the compliance impact or specific regulatory implications.
Can you explain this vulnerability to me?
This vulnerability affects PrestaShop, an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) attacks in the back-office (BO). An attacker who can inject data into the database, either through limited back-office access or by exploiting a previously existing vulnerability, can exploit unprotected variables in back-office templates to execute malicious scripts.
How can this vulnerability impact me? :
The impact of this vulnerability is significant as it allows an attacker to execute arbitrary scripts in the context of the back-office interface. This can lead to complete compromise of confidentiality, integrity, and availability of the affected system, as indicated by the CVSS score of 7.6 with high impact on confidentiality, integrity, and availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade PrestaShop to version 8.2.5 or 9.1.0, as these versions contain the fix for the stored Cross-Site Scripting (XSS) vulnerabilities in the back-office.
No known workarounds are available, so applying the official patch by upgrading is the immediate recommended action.