CVE-2026-54159
Received Received - Intake

PHP Object Injection in PrestaShop ps_facetedsearch Module

Vulnerability report for CVE-2026-54159, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0 until 4.0.4, the ps_facetedsearch module rebuilds selected search filters from the request URL, and the value of a slider filter, price or weight, is taken from the URL without sufficient validation and stored in an internal filter-block cache where it is serialized and later read back with a raw native unserialize() in src/Filters/Block.php. By crafting that value, an unauthenticated attacker can smuggle a malicious serialized PHP object into the cache, and when it is deserialized, a gadget chain writes an arbitrary PHP file inside the modules/ps_facetedsearch/ directory, which is then used as a webshell to run commands on the server. This issue is fixed in version 4.0.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
prestashop ps_facetedsearch From 3.0.0 (inc) to 4.0.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the PrestaShop ps_facetedsearch module versions 3.0.0 to 4.0.4. It allows an unauthenticated attacker to inject a malicious serialized PHP object via URL parameters, which is then deserialized and used to write an arbitrary PHP file as a webshell in the module's directory. This enables remote command execution on the server.

Detection Guidance

Check if the ps_facetedsearch module version is between 3.0.0 and 4.0.4. Inspect the modules/ps_facetedsearch directory for unexpected PHP files or webshells. Review server logs for unusual file writes or command executions.

Impact Analysis

An attacker could exploit this to execute arbitrary commands on your server, potentially leading to full system compromise, data theft, or further network infiltration. The attack requires no authentication and can be performed remotely.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating GDPR and HIPAA requirements for data protection and confidentiality. A successful exploit may result in data breaches, triggering legal penalties and compliance violations.

Mitigation Strategies

Upgrade the ps_facetedsearch module to version 4.0.4 or later immediately. Remove any unknown PHP files in the modules/ps_facetedsearch directory. Monitor server activity for signs of compromise.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54159. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart