CVE-2026-54159 in ps_facetedsearchinfo

Zusammenfassung

von MITRE • 17.07.2026

PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0 until 4.0.4, the ps_facetedsearch module rebuilds selected search filters from the request URL, and the value of a slider filter, price or weight, is taken from the URL without sufficient validation and stored in an internal filter-block cache where it is serialized and later read back with a raw native unserialize() in src/Filters/Block.php. By crafting that value, an unauthenticated attacker can smuggle a malicious serialized PHP object into the cache, and when it is deserialized, a gadget chain writes an arbitrary PHP file inside the modules/ps_facetedsearch/ directory, which is then used as a webshell to run commands on the server. This issue is fixed in version 4.0.4.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Zuständig

GitHub M

Reservieren

11.06.2026

Veröffentlichung

17.07.2026

Moderieren

akzeptiert

Eintrag

VDB-379975

CPE

bereit

EPSS

0.00000

KEV

nein

Aktivitäten

very low

Quellen

Do you know our Splunk app?

Download it now for free!