{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25597", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-03T01:02:46.717Z", "datePublished": "2026-02-06T20:47:24.793Z", "dateUpdated": "2026-02-09T15:27:54.047Z"}, "containers": {"cna": {"title": "PrestaShop has a time based enumeration in FO login form", "problemTypes": [{"descriptions": [{"cweId": "CWE-208", "lang": "en", "description": "CWE-208: Observable Timing Discrepancy", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-67v7-3g49-mxh2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-67v7-3g49-mxh2"}, {"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.4"}, {"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.0.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.0.3"}], "affected": [{"vendor": "PrestaShop", "product": "PrestaShop", "versions": [{"version": "< 8.2.4", "status": "affected"}, {"version": ">= 9.0.0-alpha.1, < 9.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T20:47:24.793Z"}, "descriptions": [{"lang": "en", "value": "PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. This vulnerability is fixed in 8.2.4 and 9.0.3."}], "source": {"advisory": "GHSA-67v7-3g49-mxh2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T15:22:00.831000Z", "id": "CVE-2026-25597", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:27:54.047Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25597", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-09T15:22:00.831000Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:22:01.809Z"}}], "cna": {"title": "PrestaShop has a time based enumeration in FO login form", "source": {"advisory": "GHSA-67v7-3g49-mxh2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "PrestaShop", "product": "PrestaShop", "versions": [{"status": "affected", "version": "< 8.2.4"}, {"status": "affected", "version": ">= 9.0.0-alpha.1, < 9.0.3"}]}], "references": [{"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-67v7-3g49-mxh2", "name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-67v7-3g49-mxh2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.4", "name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.4", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.0.3", "name": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.0.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. This vulnerability is fixed in 8.2.4 and 9.0.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-208", "description": "CWE-208: Observable Timing Discrepancy"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T20:47:24.793Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25597", "state": "PUBLISHED", "dateUpdated": "2026-02-09T15:27:54.047Z", "dateReserved": "2026-02-03T01:02:46.717Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-06T20:47:24.793Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*", "matchCriteriaId": "8E0A201F-4217-4055-AE4E-D82693EEB90E", "versionEndExcluding": "8.2.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*", "matchCriteriaId": "EAE3FA8E-5622-4234-AE14-AD4FE451357C", "versionEndExcluding": "9.0.3", "versionStartIncluding": "9.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. This vulnerability is fixed in 8.2.4 and 9.0.3."}], "id": "CVE-2026-25597", "lastModified": "2026-02-19T17:27:30.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-06T21:16:17.933", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.4"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.0.3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-67v7-3g49-mxh2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-208"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T13:27:39.949088+00:00", "value": {"mitigation_remediation": ["Upgrade to PrestaShop 8.2.4 or later, or to 9.0.3 or later.", "Implement rate limiting or CAPTCHA protection on the front\u2011office login form to impede automated timing attacks.", "If an immediate upgrade is not feasible, consider disabling or restricting the public login form and enforce tighter access controls for authentication."], "summary": {"action": "Apply Update", "impact": "User Enumeration via Timing"}, "threat_synthesis": {"affected_systems": "Affected systems include PrestaShop 8.x releases up to 8.2.3 and PrestaShop 9.x releases up to 9.0.2. Any installation using those versions is vulnerable until it is upgraded to 8.2.4 or later, or to 9.0.3 or later.", "description_and_impact": "PrestaShop prior to releases 8.2.4 and 9.0.3 contains a timing side\u2011channel flaw in its front\u2011office login form that allows an attacker to determine whether a customer account exists by measuring response delays. The vulnerability is classified as CWE\u2011208 and can leak customer identities, a form of information disclosure that may enable targeted credential\u2011stuffing or phishing. While it does not provide code execution or direct data exfiltration, the knowledge of valid accounts can be leveraged in subsequent attacks.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. EPSS shows less than 1% probability of exploitation, and the vulnerability is not listed in CISA's KEV catalog, suggesting limited current exploitation. The attack vector is a remote web request to the front\u2011office login endpoint and requires no privileged access. An attacker can send repeated requests with different user names and compare response times to infer the existence of accounts, making the attack straightforward for automated scanners."}}}}, "created": "2026-02-09T10:50:08.629132+00:00", "updated": "2026-04-18T13:30:45.750174+00:00", "vendors": ["prestashop", "prestashop$PRODUCT$prestashop"]}