PT-2026-57368 · Prestashop · Ps Facetedsearch

Published

2026-07-10

·

Updated

2026-07-11

·

CVE-2026-54159

CVSS v3.1

10

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions ps facetedsearch versions 3.0.0 through 4.0.3
Description A PHP Object Injection issue exists in the ps facetedsearch module. The module rebuilds search filters from the request URL, but the values for slider filters, specifically price or weight, are not sufficiently validated. These values are stored in an internal filter-block cache as serialized data and subsequently processed using the native unserialize() function. An unauthenticated remote attacker can provide a crafted value to inject a malicious serialized PHP object into the cache. Upon deserialization, a gadget chain allows the attacker to write an arbitrary PHP file within the module directory, enabling remote code execution and full server compromise via a webshell.
Recommendations Upgrade the ps facetedsearch module to the patched version. In the getFromCache() method within the src/Filters/Block.php file, replace the native unserialize() call with Tools::unSerialize(). Remove price and weight slider filters from filter templates exposed on the front office. Clear the faceted-search filter cache and audit the modules/ps facetedsearch/ directory for unexpected PHP files. Monitor search requests for PHP serialization patterns and block them at the WAF level.

Fix

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54159
GHSA-M5F5-28QR-9G9R

Affected Products

Ps Facetedsearch