AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-w9f3-qc75-qgx9: PrestaShop has a stored XSS executable in customer service view

criticalvulnerability

security

Source: GitHub Advisory DatabaseMay 8, 2026CVE-2026-44212

Summary

PrestaShop has a stored XSS (cross-site scripting, where malicious code is saved in a database and runs when viewed) vulnerability in its back-office customer service section. An attacker without login access can submit a malicious email through the public Contact Us form, which gets stored and then executes when an employee opens the customer thread, potentially allowing the attacker to hijack the employee's session and take over the back-office.

Solution / Mitigation

Patched in PrestaShop 8.2.6 and 9.1.1.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

May 8, 2026

Classification

Attack SophisticationTrivial

Affected Packages

prestashop/prestashop@>= 9.0.0, < 9.1.1 (fixed: 9.1.1)prestashop/prestashop@< 8.2.6 (fixed: 8.2.6)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-w9f3-qc75-qgx9

First tracked: May 8, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 95%