Main Vulnerability Database Vulnerabilities #VU129580

Cross-site scripting in PrestaShop - CVE-2026-33673

Published: May 4, 2026

Vulnerability identifier: #VU129580

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-33673

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: PrestaShop SA

Affected software:
PrestaShop

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in the back office.

The vulnerability exists due to cross-site scripting in back-office templates when rendering unprotected variables from stored database content. A remote privileged user can inject crafted data into the database to execute arbitrary script in the back office.

User interaction is required, and exploitation requires the ability to inject data into the database through limited back-office access or a previously existing vulnerability.

How to mitigate CVE-2026-33673

Install security update from vendor's website.

Sources

https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-35pf-37c6-jxjv

Cross-site scripting in PrestaShop - CVE-2026-33673

Detailed vulnerability description

How to mitigate CVE-2026-33673

Sources

Please verify you're human