PrestaShop 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには パス処理の欠陥、vendor risk input validation、vendor risk csrf, and vendor risk open redirect があり、vendor surface software deployment の利用場面で ファイル上書き、vendor impact unexpected behavior, and vendor impact memory corruption などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-33674 | PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 improperly use the validation framework. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available. | [email protected] | 2.0 | 0.03% | 2026-03-26 | 2026-04-01 |
| CVE-2026-33673 | PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously existing vulnerability, can exploit unprotected variables in back-office templates. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available. | [email protected] | 7.6 | 0.04% | 2026-03-26 | 2026-04-01 |
| CVE-2026-25597 | PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. This vulnerability is fixed in 8.2.4 and 9.0.3. | [email protected] | 5.3 | 0.05% | 2026-02-06 | 2026-02-19 |
| CVE-2025-61924 | PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the Target PayPal merchant account hijacking from backoffice due to wrong usage of the PHP array_search(). The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist. | [email protected] | 3.8 | 0.05% | 2025-10-16 | 2025-12-29 |
| CVE-2025-61923 | PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the backoffice is missing validation on input resulting in a directory traversal and arbitrary file disclosure. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist. | [email protected] | 4.1 | 0.04% | 2025-10-16 | 2025-12-29 |
| CVE-2025-61922 | PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation on the Express Checkout feature allows silent login, enabling account takeover via email. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist. | [email protected] | 9.1 | 0.03% | 2025-10-16 | 2025-12-29 |
| CVE-2025-51586 | An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the reset password feature. | [email protected] | 3.7 | 1.03% | 2025-09-08 | 2025-09-12 |
| CVE-2025-25692 | A PHAR deserialization vulnerability in the _getHeaders function of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request. | [email protected] | 6.5 | 0.75% | 2025-07-30 | 2025-08-06 |
| CVE-2025-25691 | A PHAR deserialization vulnerability in the component /themes/import of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request. | [email protected] | 6.5 | 0.99% | 2025-07-30 | 2025-08-06 |
| CVE-2024-36626 | In prestashop 8.1.4, a NULL pointer dereference was identified in the math_round function within Tools.php. | [email protected] | 5.3 | 0.05% | 2024-11-29 | 2025-09-15 |
| CVE-2024-41651 | An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admin user (who, by design, is allowed to change the code that is running on the server). | [email protected] | 8.1 | 32.32% | 2024-08-12 | 2024-10-09 |
| CVE-2024-36684 | In the module "Custom links" (pk_customlinks) <= 2.3 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The script ajax.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection. | [email protected] | 9.8 | 0.81% | 2024-06-19 | 2024-11-21 |
| CVE-2024-34717 | PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available. | [email protected] | 5.3 | 0.53% | 2024-05-14 | 2025-01-21 |
| CVE-2024-34716 | PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is enabled through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. The script injected can access the s | [email protected] | 9.6 | 42.32% | 2024-05-14 | 2025-01-21 |
| CVE-2024-28392 | SQL injection vulnerability in pscartabandonmentpro v.2.0.11 and before allows a remote attacker to escalate privileges via the pscartabandonmentproFrontCAPUnsubscribeJobModuleFrontController::setEmailVisualized() method. | [email protected] | 9.8 | 0.29% | 2024-03-20 | 2025-09-18 |
| CVE-2024-25843 | In the module "Import/Update Bulk Product from any Csv/Excel File Pro" (ba_importer) up to version 1.1.28 from Buy Addons for PrestaShop, a guest can perform SQL injection in affected versions. | [email protected] | 9.8 | 0.15% | 2024-02-27 | 2025-05-15 |
| CVE-2024-26129 | PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4. | [email protected] | 5.8 | 0.30% | 2024-02-19 | 2025-01-17 |
| CVE-2023-48926 | An issue in 202 ecommerce Advanced Loyalty Program: Loyalty Points before v2.3.4 for PrestaShop allows unauthenticated attackers to arbitrarily change an order status. | [email protected] | 5.3 | 0.26% | 2024-01-16 | 2025-06-02 |
| CVE-2024-21628 | PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this this form, which makes it possible to store a cross-site scripting payload in the database. The impact is low because the HTML is not interpreted in BO, thanks to twig's escape mechanism. In FO, the cross-site scripting attack is effective, but only impacts the customer sending it, or the customer session from which it was sent. This issue affects those who have a module fetching | [email protected] | 5.4 | 0.38% | 2024-01-02 | 2024-11-21 |
| CVE-2024-21627 | PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain a patch for this issue. The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that i | [email protected] | 8.1 | 0.95% | 2024-01-02 | 2024-11-21 |