Incorrect neutralisation in the PrestaShop firmware
PrestaShop V8.2.1
INCIBE has coordinated the publication of a medium-severity vulnerability affecting the firmware of PrestaShop, a content management system for creating and managing online shops.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type
- CVE-2026-14846: CVSS v4.0: 4.5 | CVSS AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:H | CWE-1236
No solution has been reported as yet.
CVE-2026-14846: In version 8.2.1 of PrestaShop, there is a vulnerability relating to the incorrect sanitisation of elements, caused by inadequate validation of the ‘Alias’ parameter in the ‘Update your address’ function. This flaw allows an attacker to inject malicious expressions that are executed when the information is exported using the ‘Get my data in CSV’ tool. Successful exploitation of this vulnerability could facilitate unauthorised access to the victim’s personal data.
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
| CVE-2026-14846 | Media | no | Prestashop |



