Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/prestashop/prestashop@8.1.3
purl pkg:composer/prestashop/prestashop@8.1.3
Next non-vulnerable version 8.2.4
Latest non-vulnerable version 9.1.0
Risk 4.5
Vulnerabilities affecting this package (4)
Vulnerability Summary Fixed by
VCID-1trs-ajxn-jkhk
Aliases:
CVE-2025-51586
GHSA-8xx5-h6m3-jr33
Presta Shop vulnerable to email enumeration ### Impact An unauthenticated attacker with access to the back-office URL can manipulate the id_employee and reset_token parameters to enumerate valid back-office employee email addresses. Impacted parties: Store administrators and employees: their email addresses are exposed. Merchants: risk of phishing, social engineering, and brute-force attacks targeting admin accounts. ### Patches PrestaShop 8.2.3 ### Workarounds You must upgrade, or at least apply the changes from the PrestaShop 8.2.3 patch. More information: https://build.prestashop-project.org/news/2025/prestashop-8-2-3-security-release/
8.2.3
Affected by 1 other vulnerability.
VCID-5s8z-4eqn-p7h7
Aliases:
CVE-2024-26129
GHSA-3366-9287-7qpr
### Impact Path disclosure in JavaScript variable ### Patches Patch in PrestaShop 8.1.4 ### References https://owasp.org/www-community/attacks/Full_Path_Disclosure Thanks to https://github.com/hugo-fasone
8.1.4
Affected by 3 other vulnerabilities.
VCID-cf1h-m5xj-mfc5
Aliases:
CVE-2026-25597
GHSA-67v7-3g49-mxh2
PrestaShop affected by time based enumeration in FO login form ### Impact A time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. ### Patches 8.2.4 and 9.0.3 ### Workarounds none ### References Found by Lam Yiu Tung
8.2.4
Affected by 0 other vulnerabilities.
9.0.3
Affected by 0 other vulnerabilities.
9.1.0-beta.1
Affected by 0 other vulnerabilities.
VCID-ws23-cmum-kyh6
Aliases:
CVE-2024-34716
GHSA-45vm-3j38-7p78
PrestaShop cross-site scripting via customer contact form in FO, through file upload ### Impact Only PrestaShops with customer-thread feature flag enabled are impacted, starting from PrestaShop 8.1.0. The impact is substantial, when the customer thread feature flag is enabled, through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. Consequence: the script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right. ### Patches This vulnerability is patched in 8.1.6. ### Workarounds As long as you have not upgraded to 8.1.6, a simple workaround is to disable the customer-thread feature-flag. Thank you to Ayoub AIT ELMOKHTAR, who discovered this vulnerability and share it with the PrestaShop team.
8.1.6
Affected by 2 other vulnerabilities.
Vulnerabilities fixed by this package (2)
Vulnerability Summary Aliases
VCID-f4m9-pgg8-nqa3 PrestaShop XSS can be stored in DB from "add a message form" in order detail page (FO) ### Impact The isCleanHtml method is not used on this this form, which makes it possible to store an xss in DB. The impact is low because the html is not interpreted in BO, thanks to twig's escape mechanism. In FO, the xss is effective, but only impacts the customer sending it, or the customer session from which it was sent. Be careful if you have a module fetching these messages from the DB and displaying it without escaping html. ### Patches 8.1.x ### Reporter Reported by Rona Febriana (linkedin: https://www.linkedin.com/in/rona-febriana/) CVE-2024-21628
GHSA-vr7m-r9vm-m4wf
VCID-fkcb-5u24-wqbg PrestaShop some attribute not escaped in Validate::isCleanHTML method ### Description Some event attributes are not detected by the isCleanHTML method ### Impact Some modules using the isCleanHTML method could be vulnerable to xss ### Patches 8.1.3, 1.7.8.11 ### Workarounds The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`. ### Reporters Reported by Antonio Russo (@Antonio-R1 on GitHub) and Antonio Rocco Spataro (@antoniospataro on GitHub). CVE-2024-21627
GHSA-xgpm-q3mq-46rq

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-17T00:15:26.236117+00:00 GitLab Importer Affected by VCID-cf1h-m5xj-mfc5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/GHSA-67v7-3g49-mxh2.yml 38.4.0
2026-04-17T00:14:52.166039+00:00 GitLab Importer Affected by VCID-cf1h-m5xj-mfc5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2026-25597.yml 38.4.0
2026-04-16T23:40:07.064396+00:00 GitLab Importer Affected by VCID-1trs-ajxn-jkhk https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2025-51586.yml 38.4.0
2026-04-16T22:58:08.874896+00:00 GitLab Importer Affected by VCID-ws23-cmum-kyh6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2024-34716.yml 38.4.0
2026-04-16T22:51:42.485603+00:00 GitLab Importer Affected by VCID-5s8z-4eqn-p7h7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2024-26129.yml 38.4.0
2026-04-16T22:47:36.190616+00:00 GitLab Importer Fixing VCID-f4m9-pgg8-nqa3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2024-21628.yml 38.4.0
2026-04-16T22:47:33.206046+00:00 GitLab Importer Fixing VCID-fkcb-5u24-wqbg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2024-21627.yml 38.4.0
2026-04-12T01:39:29.189242+00:00 GitLab Importer Affected by VCID-cf1h-m5xj-mfc5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/GHSA-67v7-3g49-mxh2.yml 38.3.0
2026-04-12T01:38:52.300730+00:00 GitLab Importer Affected by VCID-cf1h-m5xj-mfc5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2026-25597.yml 38.3.0
2026-04-12T01:00:53.283778+00:00 GitLab Importer Affected by VCID-1trs-ajxn-jkhk https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2025-51586.yml 38.3.0
2026-04-12T00:16:14.539596+00:00 GitLab Importer Affected by VCID-ws23-cmum-kyh6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2024-34716.yml 38.3.0
2026-04-12T00:10:41.688920+00:00 GitLab Importer Affected by VCID-5s8z-4eqn-p7h7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2024-26129.yml 38.3.0
2026-04-12T00:07:22.834318+00:00 GitLab Importer Fixing VCID-f4m9-pgg8-nqa3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2024-21628.yml 38.3.0
2026-04-12T00:07:20.112133+00:00 GitLab Importer Fixing VCID-fkcb-5u24-wqbg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2024-21627.yml 38.3.0
2026-04-03T01:48:24.457714+00:00 GitLab Importer Affected by VCID-cf1h-m5xj-mfc5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/GHSA-67v7-3g49-mxh2.yml 38.1.0
2026-04-03T01:47:49.382713+00:00 GitLab Importer Affected by VCID-cf1h-m5xj-mfc5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2026-25597.yml 38.1.0
2026-04-03T01:09:06.035144+00:00 GitLab Importer Affected by VCID-1trs-ajxn-jkhk https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2025-51586.yml 38.1.0
2026-04-03T00:23:15.759578+00:00 GitLab Importer Affected by VCID-ws23-cmum-kyh6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2024-34716.yml 38.1.0
2026-04-03T00:16:18.227607+00:00 GitLab Importer Affected by VCID-5s8z-4eqn-p7h7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2024-26129.yml 38.1.0
2026-04-03T00:12:00.970128+00:00 GitLab Importer Fixing VCID-f4m9-pgg8-nqa3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2024-21628.yml 38.1.0
2026-04-03T00:11:58.434242+00:00 GitLab Importer Fixing VCID-fkcb-5u24-wqbg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2024-21627.yml 38.1.0
2026-04-01T16:04:17.451275+00:00 GHSA Importer Fixing VCID-f4m9-pgg8-nqa3 https://github.com/advisories/GHSA-vr7m-r9vm-m4wf 38.0.0
2026-04-01T16:04:17.334496+00:00 GHSA Importer Fixing VCID-fkcb-5u24-wqbg https://github.com/advisories/GHSA-xgpm-q3mq-46rq 38.0.0
2026-04-01T12:52:21.881334+00:00 GitLab Importer Fixing VCID-f4m9-pgg8-nqa3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2024-21628.yml 38.0.0
2026-04-01T12:52:21.734111+00:00 GitLab Importer Fixing VCID-fkcb-5u24-wqbg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2024-21627.yml 38.0.0
2026-04-01T12:49:59.795307+00:00 GithubOSV Importer Fixing VCID-f4m9-pgg8-nqa3 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-vr7m-r9vm-m4wf/GHSA-vr7m-r9vm-m4wf.json 38.0.0
2026-04-01T12:49:55.511976+00:00 GithubOSV Importer Fixing VCID-fkcb-5u24-wqbg https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-xgpm-q3mq-46rq/GHSA-xgpm-q3mq-46rq.json 38.0.0