CVE-2026-54159

PrestaShop · ps_facetedsearch

A PHP object injection vulnerability in the PrestaShop ps_facetedsearch module allows unauthenticated attackers to achieve remote code execution via a malicious serialized object.

Executive summary

A critical deserialization vulnerability in the PrestaShop ps_facetedsearch module allows unauthenticated attackers to execute arbitrary code on the host server.

Vulnerability

The module improperly uses the native PHP unserialize() function on unsanitized user-supplied data from the URL (CWE-74). This allows an attacker to inject a malicious serialized PHP object that, when processed, creates a webshell in the module directory.

Business impact

With a CVSS score of 10.0, this vulnerability represents the highest level of risk. An attacker can achieve complete server compromise, leading to full data theft, unauthorized modification of store content, and complete loss of system availability.

Remediation

Immediate Action: Update the ps_facetedsearch module to version 4.0.4 or later immediately.

Proactive Monitoring: Inspect the modules/ps_facetedsearch/ directory for the presence of unknown or unauthorized PHP files that may indicate a deployed webshell.

Compensating Controls: Ensure the web server user has restricted write permissions to the application directory to prevent the creation of executable files.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

Given the CVSS score of 10.0, this is a top-priority security issue. Organizations using the PrestaShop ps_facetedsearch module must apply the update immediately to prevent total server compromise.