🚨 BREAKING

PrestaShop XSS: Critical Back-Office Takeover via Customer Service View

/CRITICAL /CVSS 9.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycross-site-scripting-xsscwe-79
PrestaShop XSS: Critical Back-Office Takeover via Customer Service View

The National Vulnerability Database has detailed CVE-2026-44212, a critical stored Cross-Site Scripting (XSS) vulnerability affecting PrestaShop, an open-source e-commerce web application. This flaw, present in versions prior to 8.2.6 and 9.1.1, allows an unauthenticated attacker to inject malicious payloads through the public ‘Contact Us’ form. The payload is then stored in the database.

The critical aspect here is the attack vector: when a back-office employee opens the affected customer thread, the malicious script executes. This provides a clear path for session hijacking and, ultimately, a full back-office takeover. Such a compromise grants an attacker extensive control over the e-commerce platform, potentially leading to data theft, payment manipulation, or website defacement. This isn’t theoretical; it’s a direct route to administrative access.

PrestaShop has addressed this vulnerability in versions 8.2.6 and 9.1.1. Given the ease of exploitation and the severe impact, any organization running PrestaShop must prioritize patching. This isn’t a complex chain; it’s a simple, unauthenticated entry point leading to total control. Attackers will certainly be scanning for unpatched instances.

What This Means For You

  • If your organization uses PrestaShop, immediately verify your version. If you are running anything prior to 8.2.6 or 9.1.1, you are exposed to a critical XSS vulnerability that can lead to full back-office compromise. Patch to the latest secure versions (8.2.6 or 9.1.1) without delay. Audit your customer service logs for any suspicious contact form submissions from unusual email addresses, especially those containing script-like characters.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.007 Command and Scripting Interpreter: JavaScript Execution T1185 Browser Session Hijacking Credential Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

PrestaShop Customer Service XSS - Contact Form Submission - CVE-2026-44212

Sigma YAML — free preview 
title: PrestaShop Customer Service XSS - Contact Form Submission - CVE-2026-44212
id: scw-2026-05-14-ai-1
status: experimental
level: critical
description: |
  Detects the initial submission of the PrestaShop contact form with a suspicious email parameter, which is the vector for CVE-2026-44212. This vulnerability allows unauthenticated attackers to inject a stored XSS payload via the 'email' field, leading to back-office takeover when an employee views the customer thread.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44212/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/contact'
      cs-method:
          - 'POST'
      cs-uri-query|contains:
          - 'email=' 
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44212 XSS PrestaShop versions prior to 8.2.6 and 9.1.1
CVE-2026-44212 XSS PrestaShop back-office Customer Service view
CVE-2026-44212 XSS Public Contact Us form with malicious email address

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 15, 2026 at 00:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6811 — Stack exhaustion vulnerability in the MongoDB PHP driver

CVE-2026-6811 — Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the...

vulnerabilityCVEmedium-severitycwe-674
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 4 Sigma

CVE-2026-45248 — The GET /Api/V1/Demo/Registered-Users Endpoint That Authentication Bypass

CVE-2026-45248 — Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information....

vulnerabilityCVEmedium-severityauthentication-bypasscwe-306
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 2 IOCs /⚙ 3 Sigma

ZITADEL LDAP Filter Injection Exposes Usernames, Attributes

CVE-2026-44671 — ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel's LDAP identity...

vulnerabilityCVEhigh-severityauthentication-bypasscwe-90
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 3 Sigma