In recent days, PrestaShop has confirmed a critical security vulnerability affecting thousands of online stores. We explain what happened, how it affects you, and what you need to do to protect your business.
🔍 What happened?
A Stored Cross-Site Scripting (XSS) vulnerability has been detected in the PrestaShop administration panel, identified as CVE-2026-44212, with a severity score of 9.3 out of 10 (Critical) on the CVSS system.
The flaw was reported by researcher Savio from Doyensec in collaboration with Anthropic Research, and has been officially published through the GitHub Security Advisory (GHSA-w9f3-qc75-qgx9).
🎯 How does the attack work?
The vulnerability is especially dangerous because the attacker does not need to have an account on your store.
The attack vector is as follows:
- The attacker accesses the public "Contact" form on your store.
- They enter an email address that contains malicious HTML/JavaScript code.
- The code is silently stored in your database.
- When you or your team open that thread in the Customer Service section of the back‑office, the malicious code automatically executes in the administrator's browser.
Once executed, the attacker can steal the administrator's session, take full control of the control panel, and perform any action: steal customer data, modify prices, install malicious modules, or even redirect your store's payments.
⚙️ Affected versions
The vulnerable PrestaShop versions are:
- All versions prior to 8.2.6
- All versions from 9.0.0 up to and including 9.1.0
The secure versions are 8.2.6 and 9.1.1, which include the official security patch.
🛡️ What should you do?
✅ Recommended solution: Update your store
The safest option is to update your PrestaShop to version 8.2.6 or 9.1.1, depending on the branch you are using. These versions fully fix the vulnerability, both in display and in input validation.
If you have any doubts about how to perform the update, Hepta Technologies can help you do it safely, minimising any risk of incompatibility with your theme or custom modules.
🧩 Alternative solutions
If you cannot update the entire store right now, I have published on the EasyPresta blog how to apply the security patch manually step by step, including the differences by PrestaShop version. You can read our detailed article on the EasyPresta blog:
👉 Full article: Critical PrestaShop alert (CVE-2026-44212)
There you will find a complete explanation of the vulnerability, the vulnerable code, the official patch, and a guide to manually apply the fix for each PrestaShop version.
📞 Do you need help?
At Hepta Technologies we have been monitoring this vulnerability from the very beginning. If your store is affected and you would prefer us to handle the update or apply the patch for you, do not hesitate to contact us.
Official references: INCIBE | GitHub Advisory (GHSA-w9f3-qc75-qgx9) | PrestaShop 8.2.6 | PrestaShop 9.1.1