Deserialization Vulnerability in PrestaShop ps_facetedsearch Module
CVE-2026-54159

10CRITICAL

Key Information:

Vendor

Prestashop

Vendor
CVE Published:
17 July 2026

What is CVE-2026-54159?

The ps_facetedsearch module in PrestaShop versions 3.0.0 to 4.0.4 is affected by a deserialization vulnerability. This issue arises when the module rebuilds selected search filters directly from the request URL. It inadequately validates the values of slider filters, such as price or weight, leading to the possibility of storing a malicious serialized PHP object in the internal filter-block cache. An attacker can exploit this flaw, causing the unserialize() function to execute arbitrary PHP code by saving a webshell in the modules/ps_facetedsearch/ directory, which can be used for unauthorized server command execution. Users should upgrade to version 4.0.4 to mitigate this vulnerability.

Affected Version(s)

ps_facetedsearch >= 3.0.0, < 4.0.4

References

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.