CVE-2026-33673 Overview
PrestaShop, a widely-used open source e-commerce web application, contains a stored Cross-Site Scripting (XSS) vulnerability in the back-office (BO) administrative interface. Versions prior to 8.2.5 and 9.1.0 are affected by this security flaw that allows attackers to exploit unprotected variables in back-office templates. An attacker who can inject data into the database—either through limited back-office access or by leveraging a previously existing vulnerability—can execute arbitrary JavaScript code in the context of authenticated administrator sessions.
Critical Impact
Stored XSS in the PrestaShop back-office can lead to session hijacking, privilege escalation, and full administrative account compromise, potentially allowing attackers to take complete control of e-commerce operations.
Affected Products
- PrestaShop versions prior to 8.2.5 (8.x branch)
- PrestaShop versions prior to 9.1.0 (9.x branch)
- All PrestaShop installations with vulnerable back-office templates
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-33673 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33673
Vulnerability Analysis
This stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) exists within PrestaShop's back-office template rendering system. The vulnerability stems from improper sanitization of user-controllable data that is stored in the database and subsequently rendered in administrative interface templates without adequate output encoding.
The attack requires an adversary to first inject malicious script content into the database. This can be accomplished through limited back-office access (such as a low-privileged employee account) or by chaining this vulnerability with another pre-existing flaw that permits database manipulation. Once the malicious payload is stored, it executes whenever an administrator accesses the affected back-office page, making this a persistent attack vector.
The scope is changed, meaning the vulnerability can impact resources beyond the vulnerable component itself—in this case, potentially affecting other administrative users and their sessions.
Root Cause
The root cause of CVE-2026-33673 lies in the failure to properly escape or sanitize user-supplied data before rendering it in back-office Smarty templates. PrestaShop templates contain variables that pull data directly from the database without applying proper output encoding, allowing stored HTML and JavaScript content to be executed in the browser context of administrators viewing the affected pages.
Attack Vector
The attack vector is network-based, requiring the attacker to first establish a foothold that allows database injection. The exploitation chain typically involves:
- Gaining limited back-office access through compromised credentials or social engineering
- Identifying input fields that store data without proper sanitization
- Injecting malicious JavaScript payloads into database fields
- Waiting for high-privileged administrators to access the affected back-office pages
- Executing arbitrary JavaScript in the victim's browser session to steal session tokens, modify configurations, or escalate privileges
The vulnerability mechanism centers on unprotected template variables that render database content directly into HTML output. When administrators view pages containing these variables, the stored malicious scripts execute within their authenticated session context. For detailed technical information, see the GitHub Security Advisory GHSA-35pf-37c6-jxjv.
Detection Methods for CVE-2026-33673
Indicators of Compromise
- Unusual JavaScript code or HTML tags stored in database fields typically containing plain text (product descriptions, employee names, configuration values)
- Suspicious back-office activity logs showing unexpected administrative actions
- Session anomalies where administrator accounts appear to be accessed from multiple locations simultaneously
- Database entries containing common XSS payloads such as <script>, onerror=, onload=, or encoded variants
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect XSS patterns in HTTP requests targeting the PrestaShop back-office
- Deploy Content Security Policy (CSP) headers to detect and block inline script execution attempts
- Monitor database write operations for suspicious patterns indicative of XSS payload injection
- Conduct regular security scans of database content to identify stored malicious scripts
Monitoring Recommendations
- Enable comprehensive logging for all back-office administrative actions and database modifications
- Configure alerts for unusual back-office access patterns, particularly from new IP addresses or at unexpected times
- Monitor for CSP violation reports that may indicate attempted XSS exploitation
- Review browser console logs on administrator workstations for blocked script execution attempts
How to Mitigate CVE-2026-33673
Immediate Actions Required
- Upgrade PrestaShop to version 8.2.5 or 9.1.0 immediately depending on your installed branch
- Audit database content for any potentially malicious stored scripts, particularly in fields rendered in back-office templates
- Review back-office access logs to identify any suspicious activity that may indicate exploitation attempts
- Implement Content Security Policy headers as an additional defense layer while patching is in progress
Patch Information
PrestaShop has released patched versions that address this stored XSS vulnerability. Organizations running affected versions should upgrade to the following fixed releases:
- Version 8.2.5 - PrestaShop Release v8.2.5
- Version 9.1.0 - PrestaShop Release v9.1.0
For complete vulnerability details and patch information, refer to the GitHub Security Advisory GHSA-35pf-37c6-jxjv.
Workarounds
- No official workarounds are available according to the vendor advisory
- Implement strict Content Security Policy headers to reduce XSS impact as a temporary measure
- Restrict back-office access to trusted IP addresses via network-level controls
- Conduct thorough database audits to remove any potentially malicious content stored in affected fields
# Example: Implementing CSP headers in Apache configuration
# Add to .htaccess or Apache configuration file
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'self';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
