External risk intelligence

PrestaShop ps_facetedsearch Webshell via Unserialized Input

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-54159

The vulnerability affects a module used in PrestaShop, which is a public-facing e-commerce web application. The module handles search and filtering features that are processed directly from public URL requests, making this functionality a common and standard part of an internet-facing storefront.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory highlights a critical vulnerability in a PrestaShop module used for layered navigation filters. The issue allows unauthenticated attackers to execute arbitrary code on the server, potentially leading to a compromised website. The vulnerability is related to how the module processes and stores search filter data from URLs.

  • An attacker can take control of your website.
  • It affects an e-commerce search and filter module.
  • Confirm if this module is in use and update it.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can target the ps_facetedsearch module by sending specially crafted requests to the e-commerce site. The module improperly processes slider filter values from the URL, allowing the attacker to inject a malicious PHP object into the cache. When this object is deserialized, it enables the attacker to write arbitrary files on the server, ultimately leading to command execution.

  • No authentication required.
  • Manipulate slider filter values in URL.
  • Arbitrary file write and command execution.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated attacker could execute arbitrary commands on the server by uploading a malicious PHP object through crafted requests. This object, when deserialized, can write a webshell into the `modules/ps_facetedsearch/` directory, allowing for server-side command execution.

  • Server-side code execution.
  • Malicious object smuggled into cache.
  • Arbitrary file write to modules directory.

Operational Fix

Recommended remediation, mitigation, and detection steps

The PrestaShop ps_facetedsearch module's vulnerability impacts e-commerce sites, likely making application owners and platform teams responsible for remediation. The first practical step involves identifying all instances of the affected module, confirming their reachability and business criticality, and then engaging the accountable owners to plan a risk-based remediation strategy.

  • Application owners should own the issue.
  • Verify module's external exposure.
  • Plan coordinated remediation activities.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the PrestaShop ps_facetedsearch module?

It is a specialized plugin for the PrestaShop e-commerce platform that powers layered navigation. This tool enables shoppers to filter product listings on a storefront using specific criteria like price ranges or product weight. By allowing users to refine search results dynamically via URL parameters, the module helps manage how information is displayed in an online store.

How does CVE-2026-54159 allow code execution?

This vulnerability stems from insecure data handling, classified as Improper Neutralization of Special Elements (CWE-74). The module takes filter values directly from a URL and saves them to a cache. Because the system later uses a native PHP function to unserialize this cached data without proper validation, an attacker can inject a malicious object that creates a file on the server, resulting in arbitrary code execution.

What triggers this security flaw?

The issue is triggered when an attacker sends a crafted web request that embeds a malicious object within a slider filter value, such as price or weight. This path requires no user authentication to initiate. Simply browsing the site or performing standard, non-malicious searches through the legitimate navigation interface does not trigger the vulnerability; it only occurs when an attacker intentionally injects custom, serialized data into the request parameters.

Is my site at risk according to Halo Surface Signal?

Yes, if you run an internet-facing PrestaShop storefront using the affected module, your risk is elevated. Halo Surface Signal identifies this as a likely target because the vulnerability resides in a core feature—search filtering—that is designed to process public input directly from the internet. Since these storefronts are typically exposed to the public by default, the functionality involved is inherently reachable to external actors.

What should I do to secure my PrestaShop installation?

Your primary action is to identify all instances of the ps_facetedsearch module within your environment. Once identified, verify if you are running a version between 3.0.0 and 4.0.3. If so, upgrade to version 4.0.4 or later, which contains the necessary fix for this issue. Coordinate with your platform and application teams to ensure these updates are applied promptly to mitigate the risk of unauthorized server access.

References