CVE-2026-54159
PrestaShop · ps_facetedsearch
A PHP object injection vulnerability in the PrestaShop ps_facetedsearch module allows unauthenticated attackers to achieve remote code execution via a malicious serialized object.
Executive summary
A critical deserialization vulnerability in the PrestaShop ps_facetedsearch module allows unauthenticated attackers to execute arbitrary code on the host server.
Vulnerability
The module improperly uses the native PHP unserialize() function on unsanitized user-supplied data from the URL (CWE-74). This allows an attacker to inject a malicious serialized PHP object that, when processed, creates a webshell in the module directory.
Business impact
With a CVSS score of 10.0, this vulnerability represents the highest level of risk. An attacker can achieve complete server compromise, leading to full data theft, unauthorized modification of store content, and complete loss of system availability.
Remediation
Immediate Action: Update the ps_facetedsearch module to version 4.0.4 or later immediately.
Proactive Monitoring: Inspect the modules/ps_facetedsearch/ directory for the presence of unknown or unauthorized PHP files that may indicate a deployed webshell.
Compensating Controls: Ensure the web server user has restricted write permissions to the application directory to prevent the creation of executable files.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
Given the CVSS score of 10.0, this is a top-priority security issue. Organizations using the PrestaShop ps_facetedsearch module must apply the update immediately to prevent total server compromise.