EXECUTIVE SUMMARY:
CVE-2026-44212 with a CVSS score of 9.3 is a stored Cross-site Scripting (XSS) vulnerability in the PrestaShop back-office Customer Service view, affecting versions of the composer/prestashop/prestashop package prior to 8.2.6 and versions 9.0.0 to 9.1.0. An unauthenticated attacker can exploit this vulnerability by submitting a malicious email address to the public Contact Us form, which is then stored in the database and executed when a back-office employee opens the affected customer thread, enabling session hijacking and full back-office takeover. The attacker gains the capability to hijack user sessions and take full control of the back-office, allowing them to perform actions on behalf of the affected user, including sensitive operations. The business impact of this vulnerability is severe, as it enables an attacker to gain elevated privileges and access sensitive data, potentially leading to financial loss, reputation damage, and compromised user trust. To exploit this vulnerability, an attacker requires access to the public Contact Us form and the ability to store malicious data in the database, but no authentication is required to submit the form.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-44212 with a CVSS score of 9.3 is a stored Cross-site Scripting (XSS) vulnerability in the PrestaShop back-office Customer Service view, affecting versions of the composer/prestashop/prestashop package prior to 8.2.6 and versions 9.0.0 to 9.1.0. An unauthenticated attacker can exploit this vulnerability by submitting a malicious email address to the public Contact Us form, which is then stored in the database and executed when a back-office employee opens the affected customer thread, enabling session hijacking and full back-office takeover. The attacker gains the capability to hijack user sessions and take full control of the back-office, allowing them to perform actions on behalf of the affected user, including sensitive operations. The business impact of this vulnerability is severe, as it enables an attacker to gain elevated privileges and access sensitive data, potentially leading to financial loss, reputation damage, and compromised user trust. To exploit this vulnerability, an attacker requires access to the public Contact Us form and the ability to store malicious data in the database, but no authentication is required to submit the form.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-w9f3-qc75-qgx9