प्लेटफ़ॉर्म
php
घटक
prestashop/prestashop
में ठीक किया गया
9.0.1
8.2.6
9.1.0
CVE-2026-33673 describes multiple stored Cross-Site Scripting (XSS) vulnerabilities within the PrestaShop back office (BO). An attacker capable of injecting data into the database, either through limited back-office access or leveraging a pre-existing vulnerability, can exploit unprotected variables in back-office templates. This vulnerability impacts PrestaShop versions up to 9.1.0-rc.1 and is resolved in versions 8.2.5 and 9.1.0.
Successful exploitation of CVE-2026-33673 allows an attacker to inject arbitrary JavaScript code into the PrestaShop back office. This code can then be executed in the context of a user's browser, potentially leading to account takeover, data theft, or defacement of the website. The impact is particularly severe because the vulnerability requires only limited back-office access, meaning an attacker doesn't necessarily need full administrative privileges to exploit it. The ability to inject data into the database, even through a separate vulnerability, significantly expands the attack surface. This vulnerability shares similarities with other XSS vulnerabilities where user-supplied data is not properly sanitized before being rendered in a web page.
CVE-2026-33673 was publicly disclosed on March 25, 2026. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this writing. Given the XSS nature of the vulnerability and the potential for widespread impact, it is prudent to assume that attackers may actively seek to exploit it.
PrestaShop installations running versions 9.1.0-rc.1 and earlier are at risk. This includes businesses using PrestaShop for e-commerce, particularly those with limited security expertise or those who have not implemented robust input validation practices. Shared hosting environments running PrestaShop are also at increased risk, as vulnerabilities in one installation could potentially impact others.
• php: Examine back-office templates for unprotected variables. Search for instances where user-supplied data is directly rendered without proper encoding.
find /path/to/prestashop/templates -name '*.tpl' -print0 | xargs -0 grep -i '{{(.*?)}}' • generic web: Monitor access logs for unusual POST requests to back-office endpoints. Look for patterns indicative of XSS payload injection.
grep -i 'script' /var/log/apache2/access.logdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.04% (11% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-33673 is to upgrade to PrestaShop version 9.1.0 or later, or version 8.2.5. Unfortunately, no specific workarounds are provided in the advisory. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding on all user-supplied data within the back office. While not a direct mitigation, a Web Application Firewall (WAF) configured to detect and block XSS payloads could provide a layer of defense. Regular security audits and penetration testing are also recommended to identify and address potential vulnerabilities.
Actualice PrestaShop a la versión 8.2.5 o 9.1.0, o a una versión posterior, para corregir las vulnerabilidades XSS almacenadas. No existen workarounds conocidos.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-33673 is a stored Cross-Site Scripting (XSS) vulnerability affecting PrestaShop versions up to 9.1.0-rc.1. Attackers can inject malicious scripts into the back office, potentially leading to account takeover.
Yes, if you are running PrestaShop versions 9.1.0-rc.1 or earlier, you are vulnerable to this XSS vulnerability. Upgrade to version 9.1.0 or 8.2.5 to mitigate the risk.
The recommended fix is to upgrade to PrestaShop version 9.1.0 or 8.2.5. No specific workarounds are provided.
As of now, there are no confirmed reports of active exploitation, but given the nature of the vulnerability, it's prudent to assume attackers may seek to exploit it.
Refer to the official PrestaShop security advisory for detailed information and updates regarding CVE-2026-33673.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।