Main Vulnerability Database Vulnerabilities #VU129580

Cross-site scripting in PrestaShop - CVE-2026-33673

Published: May 4, 2026

Vulnerability identifier: #VU129580

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-33673

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
PrestaShop

Software vendor:
PrestaShop SA

Description

The vulnerability allows a remote user to execute arbitrary script in the back office.

The vulnerability exists due to cross-site scripting in back-office templates when rendering unprotected variables from stored database content. A remote privileged user can inject crafted data into the database to execute arbitrary script in the back office.

User interaction is required, and exploitation requires the ability to inject data into the database through limited back-office access or a previously existing vulnerability.

Remediation

Install security update from vendor's website.

External links

https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-35pf-37c6-jxjv

Cross-site scripting in PrestaShop - CVE-2026-33673

Description

Remediation

External links

Please verify you're human