CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2025-25692
https://notcve.org/view.php?id=CVE-2025-25692
30 Jul 2025 — A PHAR deserialization vulnerability in the _getHeaders function of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request. Una vulnerabilidad de deserialización de PHAR en la función _getHeaders de PrestaShop v8.2.0 permite a los atacantes ejecutar código arbitrario a través de una solicitud POST manipulada. • http://prestashop.com • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2025-25691
https://notcve.org/view.php?id=CVE-2025-25691
30 Jul 2025 — A PHAR deserialization vulnerability in the component /themes/import of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request. Una vulnerabilidad de deserialización de PHAR en el componente /themes/import de PrestaShop v8.2.0 permite a los atacantes ejecutar código arbitrario a través de una solicitud POST manipulada. • http://dem0.com • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1230 – Cross-Site Scripting (XSS) vulnerability in Prestashop
https://notcve.org/view.php?id=CVE-2025-1230
12 Feb 2025 — Stored Cross-Site Scripting (XSS) vulnerability in Prestashop 8.1.7, due to the lack of proper validation of user input through ‘/<admin_directory>/index.php’, affecting the ‘link’ parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details. • https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-xss-vulnerability-prestashop • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36626
https://notcve.org/view.php?id=CVE-2024-36626
29 Nov 2024 — In prestashop 8.1.4, a NULL pointer dereference was identified in the math_round function within Tools.php. • https://gist.github.com/1047524396/25c45b61a6374e0fdaf720c9863c6bcd • CWE-476: NULL Pointer Dereference •
CVSS: 9.8EPSS: 10%CPEs: 1EXPL: 1CVE-2024-41651
https://notcve.org/view.php?id=CVE-2024-41651
12 Aug 2024 — An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admin user (who, by design, is allowed to change the code that is running on the server). • https://github.com/Fckroun/CVE-2024-41651 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34989
https://notcve.org/view.php?id=CVE-2024-34989
21 Jun 2024 — In the module RSI PDF/HTML catalog evolution (prestapdf) <= 7.0.0 from RSI for PrestaShop, a guest can perform SQL injection via `PrestaPDFProductListModuleFrontController::queryDb().' En el módulo Evolución del catálogo RSI PDF/HTML (prestapdf) <= 7.0.0 de RSI para PrestaShop, un invitado puede realizar una inyección SQL a través de `PrestaPDFProductListModuleFrontController::queryDb().' • https://security.friendsofpresta.org/modules/2024/06/20/prestapdf.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34717 – Anonymous PrestaShop customer can download other customers' invoices
https://notcve.org/view.php?id=CVE-2024-34717
14 May 2024 — PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available. PrestaShop es una aplicación web de comercio electrónico de código abierto. • https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 25%CPEs: 1EXPL: 5CVE-2024-34716 – PrestaShop vulnerable to XSS via customer contact form in FO, through file upload
https://notcve.org/view.php?id=CVE-2024-34716
14 May 2024 — PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is enabled through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. The script injected can access the session and t... • https://github.com/aelmokhtar/CVE-2024-34716_PoC • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33270
https://notcve.org/view.php?id=CVE-2024-33270
30 Apr 2024 — An issue in FME Modules fileuploads v.2.0.3 and before and fixed in v2.0.4 allows a remote attacker to obtain sensitive information via the uploadfiles.php component. Un problema en FME Modules fileuploads v.2.0.3 y anteriores y solucionado en v2.0.4 permite a un atacante remoto obtener información confidencial a través del componente uploadfiles.php. • http://fileuploads.com • CWE-125: Out-of-bounds Read •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33276
https://notcve.org/view.php?id=CVE-2024-33276
29 Apr 2024 — SQL Injection vulnerability in FME Modules preorderandnotication v.3.1.0 and before allows a remote attacker to run arbitrary SQL commands via the PreorderModel::getIdProductAttributesByIdAttributes() method. Vulnerabilidad de inyección SQL en módulos FME preorderandnotication v.3.1.0 y anteriores permite a un atacante remoto ejecutar comandos SQL arbitrarios a través del método PreorderModel::getIdProductAttributesByIdAttributes(). • https://security.friendsofpresta.org/modules/2024/04/25/preorderandnotification.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •