prestashop · threatengine.sh

CVE-2026-33674

< 8.2.5

PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 improperly use the validation framework

2.0LOW

CVE-2026-33673

< 8.2.5

PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scr

7.6HIGH

CVE-2026-25597

< 8.2.4

PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerab

5.3MEDIUM

CVE-2025-61924

< 7.4.4.1

PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, th

3.8LOW

CVE-2025-61923

< 7.4.4.1

PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, th

4.1MEDIUM

CVE-2025-61922

>= 1.3.0 and < 7.4.4.1

PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to v

9.1CRITICAL

CVE-2025-51586

< 8.2.1

An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain se

3.7LOW

CVE-2025-25692

all versions

A PHAR deserialization vulnerability in the _getHeaders function of PrestaShop v8.2.0 allows attackers to execute arbitrary code v

6.5MEDIUM

CVE-2025-25691

all versions

A PHAR deserialization vulnerability in the component /themes/import of PrestaShop v8.2.0 allows attackers to execute arbitrary co

6.5MEDIUM

CVE-2024-36626

all versions

In prestashop 8.1.4, a NULL pointer dereference was identified in the math_round function within Tools.php.

5.3MEDIUM

CVE-2024-41651

<= 8.1.7

An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality.

8.1HIGH

CVE-2024-34717

all versions

PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in a

5.3MEDIUM

CVE-2024-34716

>= 8.1.0 and < 8.1.6

PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops

9.6CRITICAL

CVE-2024-28392

<= 2.0.11

SQL injection vulnerability in pscartabandonmentpro v.2.0.11 and before allows a remote attacker to escalate privileges via the ps

9.8CRITICAL

CVE-2024-26129

>= 8.1.0 and < 8.1.4

PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable t

5.8MEDIUM

CVE-2023-48926

< 2.3.4

An issue in 202 ecommerce Advanced Loyalty Program: Loyalty Points before v2.3.4 for PrestaShop allows unauthenticated attackers t

5.3MEDIUM

CVE-2024-21628

< 8.1.3

PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this form, wh

5.4MEDIUM

CVE-2024-21627

< 1.7.8.11

PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by

8.1HIGH

CVE-2023-47110

< 5.1.4

blockreassurance adds an information block aimed at offering helpful information to reassure customers that their store is trustwo

9.1CRITICAL

CVE-2023-47109

< 5.1.4

PrestaShop blockreassurance adds an information block aimed at offering helpful information to reassure customers that the store i

5.5MEDIUM

CVE-2023-43664

< 8.1.2

PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules

4.3MEDIUM

CVE-2023-43663

< 8.1.2

PrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back

6.3MEDIUM

CVE-2022-45448

<= 3.2.3

M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to an arbitrary HTML Document crafting vulnerab

3.5LOW

CVE-2022-45447

<= 3.2.3

M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to a directory traversal vulnerability. The “

6.5MEDIUM

CVE-2023-39530

< 8.1.1

PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete files from the server vi

6.5MEDIUM

CVE-2023-39529

< 8.1.1

PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete a file from the server b

6.7MEDIUM

CVE-2023-39528

< 8.1.1

PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, the displayAjaxEmailHTML method can be used to

6.8MEDIUM

CVE-2023-39527

< 1.7.8.10

PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to cross-site

8.3HIGH

CVE-2023-39526

< 1.7.8.10

PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to remote cod

9.1CRITICAL

CVE-2023-39525

< 8.1.1

PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, in the back office, files can be compromised usin

6.5MEDIUM

CVE-2023-39524

< 8.1.1

PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, SQL injection possible in the product search fiel

6.7MEDIUM

CVE-2023-30839

< 1.7.8.9

PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability

9.9CRITICAL

CVE-2023-30838

< 1.7.8.9

PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, the ValidateCore::isCleanHTML() me

8.5HIGH

CVE-2023-30545

< 1.7.8.9

PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, it is possible for a user with acces

7.7HIGH

CVE-2023-27570

>= 1.2.0 and < 1.4.19

The eo_tags package before 1.4.19 for PrestaShop allows SQL injection via a crafted _ga cookie.

9.8CRITICAL

CVE-2023-27569

>= 1.2.0 and < 1.3.0

The eo_tags package before 1.3.0 for PrestaShop allows SQL injection via an HTTP User-Agent or Referer header.

9.8CRITICAL

CVE-2023-25170

< 8.0.1

PrestaShop is an open source e-commerce web application that, prior to version 8.0.1, is vulnerable to cross-site request forgery

5.0MEDIUM

CVE-2022-46158

< 1.7.8.8

PrestaShop is an open-source e-commerce solution. Versions prior to 1.7.8.8 did not properly restrict host filesystem access for u

5.3MEDIUM

CVE-2022-35933

< 5.0.2

This package is a PrestaShop module that allows users to post reviews and rate products. There is a vulnerability where the attack

6.1MEDIUM

CVE-2022-31181

>= 1.6.0.10 and < 1.7.8.7

PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL inj

9.8CRITICAL

CVE-2020-21967

all versions

File upload vulnerability in the Catalog feature in Prestashop 1.7.6.7 allows remote attackers to run arbitrary code via the add n

4.8MEDIUM

CVE-2022-21686

>= 1.7.0.0 and <= 1.7.8.3

PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is ab

9.0CRITICAL

CVE-2012-20001

< 1.5.2

PrestaShop before 1.5.2 allows XSS via the "<object data='data:text/html" substring in the message field.

6.1MEDIUM

CVE-2021-43789

>= 1.7.5.0 and < 1.7.8.2

PrestaShop is an Open Source e-commerce web application. Versions of PrestaShop prior to 1.7.8.2 are vulnerable to blind SQL injec

7.5HIGH

CVE-2021-21398

>= 1.7.7.0 and < 1.7.7.3

PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.7.3, an attacker can inject HTML

5.4MEDIUM

CVE-2021-21308

> 1.5.0.0 and < 1.7.7.2

PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 the soft logout system is not c

6.1MEDIUM

CVE-2021-21302

> 1.5.0.0 and < 1.7.7.2

PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 there is a CSV Injection vulner

6.8MEDIUM

CVE-2021-3110

all versions

The store system in PrestaShop 1.7.7.0 allows time-based boolean SQL injection via the module=productcomments controller=CommentGr

9.8CRITICAL

CVE-2020-26248

< 4.2.1

In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or sto

6.8MEDIUM

CVE-2020-26224

< 1.7.6.9

In PrestaShop before version 1.7.6.9 an attacker is able to list all the orders placed on the website without being logged by abus

7.5HIGH

CVE-2020-15162

>= 1.5.0.0 and < 1.7.6.8

In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allo

5.4MEDIUM

CVE-2020-15160

>= 1.7.5.0 and < 1.7.6.8

PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product ed

9.8CRITICAL

CVE-2020-15161

>= 1.6.0.4 and < 1.7.6.8

In PrestaShop from version 1.6.0.4 and before version 1.7.6.8 an attacker is able to inject javascript while using the contact for

5.4MEDIUM

CVE-2020-4074

>= 1.5.0.0 and < 1.7.6.6

In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, the authentication system is malformed and an attacker is able to f

8.9HIGH

CVE-2020-15083

> 1.7.0.0 and < 1.7.6.6

In PrestaShop from version 1.7.0.0 and before version 1.7.6.6, if a target sends a corrupted file, it leads to a reflected XSS. Th

4.7MEDIUM

CVE-2020-15082

>= 1.6.0.1 and < 1.7.6.6

In PrestaShop from version 1.6.0.1 and before version 1.7.6.6, the dashboard allows rewriting all configuration variables. The pro

7.1HIGH

CVE-2020-15081

> 1.5.0.0 and < 1.7.6.6

In PrestaShop from version 1.5.0.0 and before 1.7.6.6, there is information exposure in the upload directory. The problem is fixed

5.3MEDIUM

CVE-2020-15080

> 1.7.4.0 and < 1.7.6.6

In PrestaShop from version 1.7.4.0 and before version 1.7.6.6, some files should not be in the release archive, and others should

5.3MEDIUM

CVE-2020-15079

> 1.5.0.0 and < 1.7.6.6

In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, there is improper access control in Carrier page, Module Manager an

6.4MEDIUM

CVE-2020-11074

> 1.5.3.0 and < 1.7.6.6

In PrestaShop from version 1.5.3.0 and before version 1.7.6.6, there is a stored XSS when using the name of a quick access item. T

5.4MEDIUM

CVE-2020-5293

> 1.7.0.0 and < 1.7.6.5

In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there are improper access controls on product page with combinations, attachme

6.5MEDIUM

CVE-2020-5288

> 1.7.0.0 and < 1.7.6.5

"In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there is improper access controls on product attributes page. The problem is

4.1MEDIUM

CVE-2020-5287

> 1.5.5.0 and < 1.7.6.5

In PrestaShop between versions 1.5.5.0 and 1.7.6.5, there is improper access control on customers search. The problem is fixed in

4.1MEDIUM

CVE-2020-5286

> 1.7.4.0 and < 1.7.6.5

In PrestaShop between versions 1.7.4.0 and 1.7.6.5, there is a reflected XSS when uploading a wrong file. The problem is fixed in

4.1MEDIUM

CVE-2020-5285

> 1.7.6.0 and < 1.7.6.5

In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is a reflected XSS with back parameter. The problem is fixed in 1.7.6.

4.1MEDIUM

CVE-2020-5279

> 1.5.0.0 and < 1.7.6.5

In PrestaShop between versions 1.5.0.0 and 1.7.6.5, there are improper access control since the version 1.5.0.0 for legacy con

4.1MEDIUM

CVE-2020-5278

> 1.5.4.0 and < 1.7.6.5

In PrestaShop between versions 1.5.4.0 and 1.7.6.5, there is a reflected XSS on Exception page The problem is fixed in 1.7.6.5

4.1MEDIUM

CVE-2020-5276

> 1.7.1.0 and < 1.7.6.5

In PrestaShop between versions 1.7.1.0 and 1.7.6.5, there is a reflected XSS on AdminCarts page with cartBox parameter The probl

4.1MEDIUM

CVE-2020-5272

> 1.5.5.0 and < 1.7.6.5

In PrestaShop between versions 1.5.5.0 and 1.7.6.5, there is a reflected XSS on Search page with alias and search parameters.

4.1MEDIUM

CVE-2020-5271

> 1.6.0.0 and < 1.7.6.5

In PrestaShop between versions 1.6.0.0 and 1.7.6.5, there is a reflected XSS with date_from and date_to parameters in the dash

4.1MEDIUM

CVE-2020-5270

> 1.7.6.0 and < 1.7.6.5

In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is an open redirection when using back parameter. The impacts can be man

4.1MEDIUM

CVE-2020-5269

> 1.7.6.1 and < 1.7.6.5

In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflected XSS on AdminFeatures page by using the id_feature param

4.1MEDIUM

CVE-2020-5265

> 1.7.6.1 and < 1.7.6.5

In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflected XSS on AdminAttributesGroups page. The problem is patched

4.4MEDIUM

CVE-2020-5264

> 1.7.0.0 and < 1.7.6.5

In PrestaShop before version 1.7.6.5, there is a reflected XSS while running the security compromised page. It allows anyone to ex

4.4MEDIUM

CVE-2020-5250

>= 1.7.0.0 and < 1.7.6.4

In PrestaShop before version 1.7.6.4, when a customer edits their address, they can freely change the id_address in the form, and

7.6HIGH

CVE-2013-6295

all versions

PrestaShop 1.5.5 vulnerable to privilege escalation via a Salesman account via upload module

9.8CRITICAL

CVE-2013-4792

< 1.4.11

PrestaShop before 1.4.11 allows logout CSRF.

5.5MEDIUM

CVE-2013-4791

< 1.4.11

PrestaShop before 1.4.11 allows Logistician, translators and other low level profiles/accounts to inject a persistent XSS vector o

5.4MEDIUM

CVE-2012-2517

< 1.4.9.0

Cross-site scripting (XSS) vulnerability in PrestaShop before 1.4.9 allows remote attackers to inject arbitrary web script or HTML

6.1MEDIUM

CVE-2013-6358

all versions

PrestaShop 1.5.5 allows remote authenticated attackers to execute arbitrary code by uploading a crafted profile and then accessing

8.8HIGH

CVE-2020-6632

all versions

In PrestaShop 1.7.6.2, XSS can occur during addition or removal of a QuickAccess link. This is related to AdminQuickAccessesContro

6.1MEDIUM

CVE-2019-19595

all versions

reset/modules/advanced_form_maker_edit/multiupload/upload.php in the RESET.PRO Adobe Stock API integration 4.8 for PrestaShop allo

9.8CRITICAL

CVE-2019-19594

all versions

reset/modules/fotoliaFoto/multi_upload.php in the RESET.PRO Adobe Stock API Integration for PrestaShop 1.6 and 1.7 allows remote a

9.8CRITICAL

CVE-2019-13461

<= 1.7.5.2

In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Obj

7.5HIGH

CVE-2019-11876

all versions

In PrestaShop 1.7.5.2, the shop_country parameter in the install/index.php installation script/component is affected by Reflected

6.1MEDIUM

CVE-2018-20717

< 1.7.2.5

In the orders section of PrestaShop before 1.7.2.5, an attack is possible after gaining access to a target store with a user role

8.8HIGH

CVE-2018-19355

>= 1.5.0.0 and <= 1.7.0.0

modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote at

9.8CRITICAL

CVE-2018-19126

>= 1.6.0.1 and < 1.6.1.23

PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file upload.

9.8CRITICAL

CVE-2018-19125

>= 1.6.0.1 and < 1.6.1.23

PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to delete an image directory.

7.5HIGH

CVE-2018-19124

>= 1.6.0.1 and < 1.6.1.23

PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 on Windows allows remote attackers to write to arbitrary image files.

7.5HIGH

CVE-2018-13784

< 1.6.1.20

PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfish.php.

9.1CRITICAL

CVE-2018-8824

>= 1.5.5.0 and <= 1.7.2.5

modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.

9.8CRITICAL

CVE-2018-8823

>= 1.5.5.0 and <= 1.7.2.5

modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.

9.8CRITICAL

CVE-2018-7491

<= 1.7.2.5

In PrestaShop through 1.7.2.5, a UI-Redressing/Clickjacking vulnerability was found that might lead to state-changing impact in th

7.5HIGH

CVE-2018-5682

all versions

PrestaShop 1.7.2.4 allows user enumeration via the Reset Password feature, by noticing which reset attempts do not produce a "This

5.3MEDIUM

CVE-2018-5681

all versions

PrestaShop 1.7.2.4 has XSS via source-code editing on the "Pages > Edit page" screen.

5.4MEDIUM

CVE-2015-1175

<= 1.6.0.9

Cross-site scripting (XSS) vulnerability in blocklayered-ajax.php in the blocklayered module in PrestaShop 1.6.0.9 and earlier all

CVE-2012-6641

<= 1.4.7.1

Cross-site scripting (XSS) vulnerability in redirect.php in the Socolissimo module (modules/socolissimo/) in PrestaShop before 1.4

CVE-2012-5801

all versions

The PayPal module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) o

CVE-2012-5800

all versions

The eBay module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or

CVE-2012-5799

all versions

The Canada Post (aka CanadaPost) module in PrestaShop does not verify that the server hostname matches a domain name in the subjec

CVE-2011-4545

all versions

CRLF injection vulnerability in admin/displayImage.php in Prestashop 1.4.4.1 allows remote attackers to inject arbitrary HTTP head

CVE-2011-4544

<= 1.4.0.6

Multiple cross-site scripting (XSS) vulnerabilities in Prestashop before 1.5 allow remote attackers to inject arbitrary web script

CVE-2011-3796

all versions

PrestaShop 1.4.0.6 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the

CVE-2008-6503

all versions

Multiple cross-site scripting (XSS) vulnerabilities in PrestaShop 1.1.0.3 allow remote attackers to inject arbitrary web script or

CVE-2008-5791

<= 1.0

Multiple unspecified vulnerabilities in PrestaShop e-Commerce Solution before 1.1 Beta 2 (aka 1.1.0.1) have unknown impact and att