CVE-2026-14846 in PrestaShop
Summary
by MITRE • 07/13/2026
In version 8.2.1 of PrestaShop, there is a vulnerability relating to the incorrect sanitisation of elements, caused by inadequate validation of the ‘Alias’ parameter in the ‘Update your address’ function. This flaw allows an attacker to inject malicious expressions that are executed when the information is exported using the ‘Get my data in CSV’ tool. Successful exploitation of this vulnerability could facilitate unauthorised access to the victim’s personal data.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/13/2026
This vulnerability exists within PrestaShop version 8.2.1 where insufficient input validation permits malicious code injection through the 'Alias' parameter during address updates. The flaw stems from inadequate sanitization practices that fail to properly filter user-supplied data before processing, creating a path for persistent cross-site scripting attacks. The vulnerability specifically manifests in the 'Update your address' functionality where the Alias field does not undergo proper validation checks, allowing attackers to submit crafted payloads that bypass security measures. When users subsequently export their personal information through the 'Get my data in CSV' tool, the malicious code executes within the context of other users' browsers, enabling unauthorized access to sensitive personal data including addresses, contact information, and potentially financial details.
The technical implementation of this vulnerability aligns with CWE-79 Cross-Site Scripting flaws and represents a classic case of insufficient input validation where user-controllable parameters are not properly escaped or filtered before being stored and later rendered. Attackers can exploit this weakness by injecting script tags or other malicious payloads into the Alias field, which then persist in the system until the data is exported through the CSV functionality. The operational impact extends beyond simple data exposure as it provides attackers with a means to escalate privileges and potentially access administrative functions, particularly when combined with other vulnerabilities in the platform's authentication mechanisms. This issue directly violates security principles outlined in the OWASP Top Ten 2017 Category A03: Injection, specifically addressing the lack of proper input sanitization and output encoding.
The exploitation process requires minimal technical expertise as attackers can leverage standard web application penetration testing tools to identify and test the vulnerable parameter. Once successfully exploited, the malicious code can perform actions such as stealing session cookies, redirecting users to phishing sites, or extracting sensitive information from the victim's browser environment. The vulnerability affects all users who maintain addresses in their PrestaShop installation and particularly impacts e-commerce platforms where personal data protection is paramount. Organizations should implement immediate mitigations including input validation at multiple layers, output encoding for all dynamic content, and regular security audits of user input fields. Additionally, the implementation of Content Security Policy headers can provide an additional defense layer against script execution. The ATT&CK framework categorizes this vulnerability under T1059 Command and Scripting Interpreter and T1566 Phishing, as it enables attackers to execute malicious code through web-based interfaces while potentially facilitating broader social engineering campaigns targeting end-users.
Organizations should prioritize patch management and implement proper data validation mechanisms across all user input fields. The recommended mitigations include deploying web application firewalls that can detect and block suspicious payloads, implementing strict input sanitization routines that filter out potentially dangerous characters, and establishing comprehensive logging of address update activities for anomaly detection. Regular security assessments should verify that all user-controllable parameters undergo proper validation before being processed or stored in databases. The vulnerability demonstrates the critical importance of defense-in-depth strategies where multiple layers of protection work together to prevent successful exploitation attempts, particularly in e-commerce environments handling sensitive personal and financial data.