External risk intelligence

PrestaShop stores can lose admin control or customer data through website contact forms

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-44212

PrestaShop online stores are at risk of full admin takeover or data theft via a public website form, allowing attackers to hijack sessions. Update to version 8.2.6 or 9.1.1 immediately.

4Halo Surface Signal

Cross-site Scripting

External exposure likelihood

Halo Surface Signal score for CVE-2026-44212

PrestaShop is a widely deployed open-source e-commerce web application. The vulnerability is triggered via the public-facing 'Contact Us' form, which is a standard, internet-exposed component of nearly all e-commerce installations, making the attack surface readily reachable from the internet.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability allows an attacker to inject malicious code into your e-commerce store's backend by submitting a specially crafted email via the public Contact Us form. This code can then be executed when an employee accesses customer service inquiries, potentially leading to unauthorized access and control of your administrative functions.

  • Allows takeover of the admin panel.
  • Attacker doesn't need an account.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this by submitting a malicious email address through the public "Contact Us" form. This payload is stored and executes when a back-office employee views the customer's thread, leading to session hijacking and full control of the back office.

  • Public contact form is vulnerable.
  • Stored payload executes on view.
  • Back-office session hijacking is possible.

Live Threat

Current exploitation, exposure, and threat context

Attackers may find this stored XSS vulnerability in PrestaShop attractive because it can lead to full back-office takeover through session hijacking. The ease of exploitation via a public-facing form, requiring no authentication, further increases its appeal. While the vulnerability is fixed, unpatched versions remain a potential target for motivated attackers.

  • Exploitable through public form.
  • Stored payload, executed on access.
  • Unpatched versions remain vulnerable.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching PrestaShop instances to versions 8.2.6 or 9.1.1 immediately, as this stored XSS vulnerability in the Customer Service view allows unauthenticated attackers to hijack sessions and take over the back office. If patching is delayed, focus on implementing strict input validation on the public Contact Us form and monitoring back-office customer service threads for suspicious activity.

  • Apply patches 8.2.6 or 9.1.1.
  • Validate 'Contact Us' form input.
  • Monitor back-office threads for anomalies.

Frequently asked questions

What is PrestaShop and what is it used for?

PrestaShop is an open-source e-commerce web application. It is used by businesses to create and manage online stores, allowing them to sell products and services over the internet.

What type of vulnerability is CVE-2026-44212 in PrestaShop?

CVE-2026-44212 is a stored Cross-Site Scripting (XSS) vulnerability. This weakness allows attackers to inject malicious code that gets stored and executed later when a legitimate user interacts with the affected part of the software.

How can an attacker exploit this PrestaShop vulnerability?

An unauthenticated attacker can exploit this by submitting a malicious email address through the public "Contact Us" form. The harmful code is stored and runs when a back-office employee views the customer service thread, potentially leading to session hijacking.

Who should be concerned about this PrestaShop vulnerability?

Any organization using PrestaShop, especially those with internet-facing customer service forms, should be concerned. The vulnerability's nature means it can be reached from the internet, posing a significant risk to e-commerce operations.

What is the first step to address this PrestaShop vulnerability?

The immediate first step is to update PrestaShop to version 8.2.6 or 9.1.1, as these versions contain the fix for this vulnerability. If immediate patching isn't possible, carefully validate all input on the 'Contact Us' form.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified