{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33673", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T16:34:59.930Z", "datePublished": "2026-03-26T21:41:13.249Z", "dateUpdated": "2026-03-27T20:27:40.683Z"}, "containers": {"cna": {"title": "PrestaShop has multiple stored XSS vulnerabilities via unprotected Template variables", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-35pf-37c6-jxjv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-35pf-37c6-jxjv"}, {"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5"}, {"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0"}], "affected": [{"vendor": "PrestaShop", "product": "PrestaShop", "versions": [{"version": ">= 9.0.0-alpha.1, < 9.1.0", "status": "affected"}, {"version": "< 8.2.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T21:41:13.249Z"}, "descriptions": [{"lang": "en", "value": "PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously existing vulnerability, can exploit unprotected variables in back-office templates. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available."}], "source": {"advisory": "GHSA-35pf-37c6-jxjv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T20:27:27.559622Z", "id": "CVE-2026-33673", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:27:40.683Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33673", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T20:27:27.559622Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:27:37.247Z"}}], "cna": {"title": "PrestaShop has multiple stored XSS vulnerabilities via unprotected Template variables", "source": {"advisory": "GHSA-35pf-37c6-jxjv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "PrestaShop", "product": "PrestaShop", "versions": [{"status": "affected", "version": ">= 9.0.0-alpha.1, < 9.1.0"}, {"status": "affected", "version": "< 8.2.5"}]}], "references": [{"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-35pf-37c6-jxjv", "name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-35pf-37c6-jxjv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5", "name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0", "name": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously existing vulnerability, can exploit unprotected variables in back-office templates. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T21:41:13.249Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33673", "state": "PUBLISHED", "dateUpdated": "2026-03-27T20:27:40.683Z", "dateReserved": "2026-03-23T16:34:59.930Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T21:41:13.249Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*", "matchCriteriaId": "C9FC2346-1455-48F7-ABA8-FBD5253C8ACC", "versionEndExcluding": "8.2.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*", "matchCriteriaId": "765DE050-DDC6-4607-8126-B90DDE614019", "versionEndExcluding": "9.1.0", "versionStartIncluding": "9.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously existing vulnerability, can exploit unprotected variables in back-office templates. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available."}, {"lang": "es", "value": "PrestaShop es una aplicaci\u00f3n web de comercio electr\u00f3nico de c\u00f3digo abierto. Las versiones anteriores a la 8.2.5 y 9.1.0 son vulnerables a vulnerabilidades de cross-site scripting almacenado (XSS almacenado) en el BO. Un atacante que puede inyectar datos en la base de datos, a trav\u00e9s de un acceso limitado al back-office o una vulnerabilidad existente previamente, puede explotar variables desprotegidas en las plantillas del back-office. Las versiones 8.2.5 y 9.1.0 contienen una correcci\u00f3n. No se conocen soluciones alternativas disponibles."}], "id": "CVE-2026-33673", "lastModified": "2026-04-01T13:40:03.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-26T22:16:30.553", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-35pf-37c6-jxjv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0-alpha.1,9.1.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.2.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "PrestaShop", "source": "cna", "vendor": "PrestaShop"}, "product": "prestashop", "vendor": "prestashop"}], "analysis": {"en": {"generated_at": "2026-04-02T04:15:25.417322+00:00", "value": {"mitigation_remediation": ["Apply the latest PrestaShop release (8.2.5 or 9.1.0) which includes the fix."], "summary": {"action": "Patch", "impact": "Stored XSS in Back\u2011Office templates"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in all PrestaShop instances less than versions 8.2.5 and 9.1.0. Any deployment using those major releases that has not applied the security update is at risk. The updates that fix the problem are available in release 8.2.5 and 9.1.0.", "description_and_impact": "PrestaShop versions older than 8.2.5 and 9.1.0 allow attackers to inject malicious JavaScript into back\u2011office templates. The injection is stored, meaning the code persists in the database and runs automatically when other back\u2011office users view the affected pages. This can lead to the hijacking of user sessions, credential theft, or the execution of further attacks from the victim\u2019s browser. The flaw is a classic stored XSS weakness classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 7.7 indicates a high level of risk, but the EPSS score of less than 1% suggests that active exploitation is currently uncommon. The flaw is not listed in CISA\u2019s KEV catalog, meaning no widespread exploitation has been reported. Attackers need the ability to add or modify data in the back\u2011office database, either by holding limited back\u2011office access or by exploiting another vulnerability that provides that capability. Once the malicious script is stored, any user who views the affected page will be exposed."}}}}, "created": "2026-03-27T08:31:39.364819+00:00", "updated": "2026-04-02T07:56:12.385007+00:00", "vendors": ["prestashop", "prestashop$PRODUCT$prestashop"]}