CVE-2026-14846
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-14846, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description

In version 8.2.1 of PrestaShop, there is a vulnerability relating to the incorrect sanitisation of elements, caused by inadequate validation of the ‘Alias’ parameter in the ‘Update your address’ function. This flaw allows an attacker to inject malicious expressions that are executed when the information is exported using the ‘Get my data in CSV’ tool. Successful exploitation of this vulnerability could facilitate unauthorised access to the victim’s personal data.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
prestashop prestashop 8.2.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1236 The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects PrestaShop version 8.2.1 and is caused by incorrect sanitization of the 'Alias' parameter in the 'Update your address' function. Due to inadequate validation, an attacker can inject malicious expressions into this parameter.

These malicious expressions are executed when the victim's information is exported using the 'Get my data in CSV' tool, potentially allowing the attacker to perform unauthorized actions.

Impact Analysis

Exploitation of this vulnerability could lead to unauthorized access to the victim's personal data. Attackers can inject malicious code that executes during data export, potentially compromising sensitive information.

Mitigation Strategies

There is no official solution provided yet for this vulnerability.

As an immediate mitigation, avoid using the 'Get my data in CSV' export tool until a fix is available, and restrict access to the 'Update your address' function to trusted users only.

Monitor for any suspicious activity related to the 'Alias' parameter in the 'Update your address' function and consider applying additional input validation or sanitization at the application or network level if possible.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14846. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart