Deserialization Vulnerability in PrestaShop ps_facetedsearch Module
CVE-2026-54159
10CRITICAL
What is CVE-2026-54159?
The ps_facetedsearch module in PrestaShop versions 3.0.0 to 4.0.4 is affected by a deserialization vulnerability. This issue arises when the module rebuilds selected search filters directly from the request URL. It inadequately validates the values of slider filters, such as price or weight, leading to the possibility of storing a malicious serialized PHP object in the internal filter-block cache. An attacker can exploit this flaw, causing the unserialize() function to execute arbitrary PHP code by saving a webshell in the modules/ps_facetedsearch/ directory, which can be used for unauthorized server command execution. Users should upgrade to version 4.0.4 to mitigate this vulnerability.
Affected Version(s)
ps_facetedsearch >= 3.0.0, < 4.0.4
