Platform
php
Component
prestashop/prestashop
Fixed in
9.0.1
8.2.6
9.1.0
CVE-2026-33673 describes multiple stored Cross-Site Scripting (XSS) vulnerabilities within the PrestaShop back office (BO). An attacker capable of injecting data into the database, either through limited back-office access or leveraging a pre-existing vulnerability, can exploit unprotected variables in back-office templates. This vulnerability impacts PrestaShop versions up to 9.1.0-rc.1 and is resolved in versions 8.2.5 and 9.1.0.
Successful exploitation of CVE-2026-33673 allows an attacker to inject arbitrary JavaScript code into the PrestaShop back office. This code can then be executed in the context of a user's browser, potentially leading to account takeover, data theft, or defacement of the website. The impact is particularly severe because the vulnerability requires only limited back-office access, meaning an attacker doesn't necessarily need full administrative privileges to exploit it. The ability to inject data into the database, even through a separate vulnerability, significantly expands the attack surface. This vulnerability shares similarities with other XSS vulnerabilities where user-supplied data is not properly sanitized before being rendered in a web page.
CVE-2026-33673 was publicly disclosed on March 25, 2026. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this writing. Given the XSS nature of the vulnerability and the potential for widespread impact, it is prudent to assume that attackers may actively seek to exploit it.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33673 is to upgrade to PrestaShop version 9.1.0 or later, or version 8.2.5. Unfortunately, no specific workarounds are provided in the advisory. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding on all user-supplied data within the back office. While not a direct mitigation, a Web Application Firewall (WAF) configured to detect and block XSS payloads could provide a layer of defense. Regular security audits and penetration testing are also recommended to identify and address potential vulnerabilities.
Update PrestaShop to version 8.2.5 or 9.1.0, or a later version, to fix the stored XSS vulnerabilities. No workarounds are known.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33673 is a stored Cross-Site Scripting (XSS) vulnerability affecting PrestaShop versions up to 9.1.0-rc.1. Attackers can inject malicious scripts into the back office, potentially leading to account takeover.
Yes, if you are running PrestaShop versions 9.1.0-rc.1 or earlier, you are vulnerable to this XSS vulnerability. Upgrade to version 9.1.0 or 8.2.5 to mitigate the risk.
The recommended fix is to upgrade to PrestaShop version 9.1.0 or 8.2.5. No specific workarounds are provided.
As of now, there are no confirmed reports of active exploitation, but given the nature of the vulnerability, it's prudent to assume attackers may seek to exploit it.
Refer to the official PrestaShop security advisory for detailed information and updates regarding CVE-2026-33673.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.