Incorrect neutralisation in the PrestaShop firmware
Summary
| CVE | CVE-2026-14846 |
|---|---|
| State | PUBLISHED |
| Assigner | INCIBE |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-13 10:16:26 UTC |
| Updated | 2026-07-13 18:05:36 UTC |
| Description | In version 8.2.1 of PrestaShop, there is a vulnerability relating to the incorrect sanitisation of elements, caused by inadequate validation of the ‘Alias’ parameter in the ‘Update your address’ function. This flaw allows an attacker to inject malicious expressions that are executed when the information is exported using the ‘Get my data in CSV’ tool. Successful exploitation of this vulnerability could facilitate unauthorised access to the victim’s personal data. |
Risk And Classification
Primary CVSS: v4.0 4.5 MEDIUM from [email protected]
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.003300000 probability, percentile 0.249700000 (date 2026-07-13)
Problem Types: CWE-1236 | CWE-1236 CWE-1236 Improper neutralization of formula elements in a CSV file
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 4.5 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:H/E:X/C... |
| 4.0 | CNA | CVSS | 4.5 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:H |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
PresentPrivileges Required
HighUser Interaction
ActiveConfidentiality
LowIntegrity
LowAvailability
LowSub Conf.
LowSub Integrity
LowSub Availability
HighCVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | PrestaShop | The Firmware | affected 8.2.1 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.incibe.es/en/incibe-cert/notices/aviso/incorrect-neutralisation-prestas... | [email protected] | www.incibe.es | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
Solutions
CNA: No solution has been reported as yet.
There are currently no legacy QID mappings associated with this CVE.