Top/Articles/Perfect-10 unauthenticated takeover in PrestaShop's search module: CVE-2026-54159 β€” update ps_facetedsearch to 4.0.4
prestashop-cve-cover-en

Perfect-10 unauthenticated takeover in PrestaShop's search module: CVE-2026-54159 β€” update ps_facetedsearch to 4.0.4

PrestaShop, the popular free software for building online stores, has a maximum-severity (10.0) flaw in its standard filtered-search feature. Tracked as CVE-2026-54159, a single crafted URL can take over the shop and server with no login. The affected module is Faceted Search 3.0.0-4.0.3; update to 4.0.4.

NewsPublished July 18, 2026 Updated today
Table of contents
Key takeaways

PrestaShop, the popular free software for building online stores, has a maximum-severity (10.0) flaw in its standard filtered-search feature. Tracked as CVE-2026-54159, a single crafted URL can take over the shop and server with no login. The affected module is Faceted Search 3.0.0-4.0.3; update to 4.0.4.

The popular free software for building online stores, PrestaShop, has a severe flaw in its standard filtered-search feature, rated the maximum severity of 10.0. Tracked as CVE-2026-54159, it means a single crafted URL can let an attacker take over the shop and the server behind it with no login. Because it targets the foundation of a store that handles member data, orders, and payments, the impact is significant.

The problem is in the "Faceted Search" module (add-on) that filters products by price and attributes. It's a staple used by many PrestaShop stores, and on July 17, 2026 the project released the fix, version 4.0.4. Affected stores should update before exploitation spreads. Below we walk through what happens, which stores are affected, and how to respond.

Key points (3 lines)

  • PrestaShop's filtered-search feature has a maximum-severity (10.0) flaw. With no login, a single crafted URL can lead to full shop takeover.
  • Affected is the "Faceted Search" (ps_facetedsearch) module, versions 3.0.0–4.0.3. Any store on PrestaShop 1.7.1.0 or later is in scope.
  • The fix, 4.0.4, is out. Affected stores should update immediately. No real-world attacks or KEV listing are known as of now.

What are PrestaShop and "faceted search"?

PrestaShop is free software that lets you open an online store without programming expertise. Hundreds of thousands of stores use it worldwide, especially across Europe, and some Japanese businesses selling abroad use it too. Since it's the foundation of a store, a hole here puts product info, member data, and order records all at risk at once.

The affected "Faceted Search" is the feature shoppers use to narrow down products β€” think of the left-hand sidebar that filters by price range, color, size, or brand. It's a staple module that most stores install by default, which is exactly why its reach is so wide.

The tricky part is that this feature runs on the "front end" that any shopper can touch β€” no account or login required. So an attacker can trigger the hole with what looks like ordinary access to the store. It earned the maximum severity of 10.0 precisely because the conditions "anyone, no login, remote" all line up.

Who targets this, and why

The people who exploit this are attackers who mechanically sweep for PrestaShop stores still running an old Faceted Search. Online stores concentrate money and personal data, so they're lucrative targets, and stores slow to update make easy prey. This isn't just about big-name shops.

By planting a crafted value in the URL parameter used for price filtering, attackers aim to write a malicious "backdoor" (web shell) program onto the server and control the shop remotely at will. Once a backdoor is in place, anything goes.

The damage doesn't stop at the store owner. A hijacked store can be fitted with "web skimming" that steals card details on the checkout page, or suffer leaks of member data and order history, or redirects to fake pages. Ordinary shoppers can have their card data stolen without knowing. A store takeover ties directly to the owner's reputation and to customer harm. That's why the update below is urgent. This pattern of damage spreading through an "open-source component" is also covered in our guide to risks hidden in open-source components.

A technical look β€” why one URL is enough

Technically, this is a "PHP object injection." PrestaShop is written mostly in the PHP language. Faceted Search read the filter conditions a shopper chose from the URL and stored and restored them as-is in an internal cache (a temporary storage area). The cause is that it used PHP's unserialize() for that restore without adequately checking the input.

In particular, the value used by the price/weight slider (range filters) was taken from the URL almost unchecked. An attacker slips a maliciously crafted "PHP object (a bundle of data)" into that value. It's stored in the cache, and when later restored with unserialize(), a technique called a "gadget chain" β€” abusing internal components in sequence β€” lets the attacker write an arbitrary PHP file inside the module's folder. That file is then used as a remote-control backdoor (web shell) to run any command on the server.

All the attack needs is one crafted request to the front end β€” no login and no special privilege. Passing untrusted input straight to unserialize() is a classic pitfall long known to be dangerous, and that's exactly what was exploited here.

Is my store affected? (Quick reference)

Whether you're affected comes down to the version of the Faceted Search (ps_facetedsearch) module you have. You can check it from the module list in the admin.

Module versionImpactAction
3.0.0–4.0.3Affected
(risk of unauth RCE)
Update to 4.0.4+ now
4.0.4 or laterAlready fixedNo action needed
Before 3.0.0Not in this advisory
(mind older releases)
Update to latest

This flaw affects stores where PrestaShop core is 1.7.1.0 or later. Since Faceted Search is a staple module most stores use, "we don't have a special setup, so we're fine" is not a safe assumption. Don't guess the version β€” check it in the module list.

What to do right now

The top priority is to update the Faceted Search (ps_facetedsearch) module to 4.0.4 or later. You can update it from module management in the PrestaShop admin. Because it touches the foundation of a store handling payments and member data, don't put it off.

If you can't update immediately, a temporary mitigation is to configure a WAF (a system that detects and blocks malicious traffic) in front of the store to reject requests where the filtered-search parameters contain unnatural values. But this is only a stopgap; the real fix is updating the module. It's also wise to check whether any unfamiliar PHP files have been created in the module's folder, and whether any suspicious admin accounts have been added.

As of now, there are no reports of this flaw being used in real attacks, and it is not on the U.S. CISA catalog of actively exploited vulnerabilities (KEV). But with the maximum severity of 10.0 and a clear technique, exploitation is likely only a matter of time. You can check whether attacks have begun in our tracker of actively exploited vulnerabilities (Japanese). As a flaw in the foundation of an online store or site, it shares cautionary ground with the WordPress core vulnerability found around the same time.

FAQ

Q. How dangerous is it?

It's rated the maximum 10.0 on the CVSS scale. No login or special privilege is needed; a single crafted URL can let an attacker remotely take over the shop and server. Because it touches the store's foundation, a successful attack puts member data and order/payment data at risk.

Q. How do I check if my store is affected?

In the PrestaShop admin module list, check the version of "Faceted Search (ps_facetedsearch)." Versions 3.0.0–4.0.3 are affected; 4.0.4 or later is fixed. Stores on PrestaShop core 1.7.1.0 or later are in scope.

Q. What if I can't update right away?

As a stopgap, a WAF in front of the store can block requests where the filtered-search parameters contain suspicious values. But that's temporary; the real fix is updating the module to 4.0.4 or later. Also check whether any unfamiliar PHP files have appeared in the module's folder.

Q. Is it being exploited already?

There are currently no reports of real-world exploitation, and it is not on the U.S. CISA KEV catalog of actively exploited vulnerabilities. But given the maximum severity and a clear technique, updating promptly is strongly recommended.

Summary

PrestaShop's staple filtered-search feature, "Faceted Search," has a maximum-severity (10.0) flaw (CVE-2026-54159). From the front end that any shopper can reach, a single crafted URL with no login can lead to takeover of the shop and its server. The cause is restoring values taken from the URL via unserialize() without adequate checking.

The saving grace is that the fix, 4.0.4, is already out. Affected is the search module 3.0.0–4.0.3, on stores running PrestaShop 1.7.1.0 or later. There are no reports of attacks yet, but with maximum severity and a clear technique, exploitation is a matter of time. Affected stores should update to 4.0.4 or later immediately β€” to protect payments and customer data.

Sources

avatar-m-1

Makoto Horikawa

Backend Engineer / AWS / Django