CVE-2026-14846 PUBLISHED

Incorrect neutralisation in the PrestaShop firmware

Assigner: INCIBE
Reserved: 06.07.2026 Published: 13.07.2026 Updated: 13.07.2026

In version 8.2.1 of PrestaShop, there is a vulnerability relating to the incorrect sanitisation of elements, caused by inadequate validation of the ‘Alias’ parameter in the ‘Update your address’ function. This flaw allows an attacker to inject malicious expressions that are executed when the information is exported using the ‘Get my data in CSV’ tool. Successful exploitation of this vulnerability could facilitate unauthorised access to the victim’s personal data.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:H
CVSS Score: 4.5

Product Status

Vendor PrestaShop
Product The firmware
Versions Default: unaffected
  • Version 8.2.1 is affected

Solutions

No solution has been reported as yet.

References

Problem Types

  • CWE-1236 Improper neutralization of formula elements in a CSV file CWE