Incorrect neutralisation in the PrestaShop firmware

Posted date 13/07/2026
Identificador
INCIBE-2026-480
Importance
3 - Medium
Affected Resources

PrestaShop V8.2.1

Description

INCIBE has coordinated the publication of a medium-severity vulnerability affecting the firmware of PrestaShop, a content management system for creating and managing online shops.

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type

  • CVE-2026-14846: CVSS v4.0: 4.5 | CVSS AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:H | CWE-1236
Solution

No solution has been reported as yet.

Detail

CVE-2026-14846: In version 8.2.1 of PrestaShop, there is a vulnerability relating to the incorrect sanitisation of elements, caused by inadequate validation of the ‘Alias’ parameter in the ‘Update your address’ function. This flaw allows an attacker to inject malicious expressions that are executed when the information is exported using the ‘Get my data in CSV’ tool. Successful exploitation of this vulnerability could facilitate unauthorised access to the victim’s personal data.

CVE
Identificador CVE Severidad Explotación Fabricante
CVE-2026-14846 Media no Prestashop
References list