HIGH 7.6
GHSA-35pf-37c6-jxjv
PrestaShop has multiple stored XSS vulnerabilities via unprotected Template variables
Details
### Impact Multiple stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO: an attacker who can inject data into the database, via limited back-office access or a previously existing vulnerability, can exploit unprotected variables in back-office templates.
### Patches Patched on 8.2.5 and 9.1.0
### Workarounds None
### References None
Are you affected?
Enter the version of the package you're using.
Affected packages
Packagist / prestashop/prestashop
Introduced in:
9.0.0-alpha.1 Fixed in: 9.1.0 Fix
composer require prestashop/prestashop:^9.1.0 Packagist / prestashop/prestashop
Introduced in:
0 Fixed in: 8.2.5 Fix
composer require prestashop/prestashop:^8.2.5 References
- https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-35pf-37c6-jxjv [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-33673 [ADVISORY]
- https://github.com/PrestaShop/PrestaShop [PACKAGE]
- https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5 [WEB]
- https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0 [WEB]