Back to overview

CVE-2026-14846

MEDIUM
4.5
CVSS 4.0
Description
In version 8.2.1 of PrestaShop, there is a vulnerability relating to the incorrect sanitisation of elements, caused by inadequate validation of the ‘Alias’ parameter in the ‘Update your address’ function. This flaw allows an attacker to inject malicious expressions that are executed when the information is exported using the ‘Get my data in CSV’ tool. Successful exploitation of this vulnerability could facilitate unauthorised access to the victim’s personal data.

Metadata

CVE ID
CVE-2026-14846
State
PUBLISHED
Assigner
INCIBE
Reserved
2026-07-06 11:34 UTC
Published
2026-07-13 09:31 UTC
Last updated
2026-07-13 14:12 UTC
Primary CWE
CWE-1236
CWE-1236 Improper neutralization of formula elements in a CS…
Vendor / Product
PrestaShop / The firmware
Sources
cve.org  ·  NVD

Severity & Metrics

4.5 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
PrestaShop The firmware 8.2.1
Weakness (CWE)
CWESourceDescription
CWE-1236 cna CWE-1236 Improper neutralization of formula elements in a CSV file
CVSS scores (1)
ScoreSeverityVersionSourceVector
4.5 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:H
Back to overview