GHSA-M5F5-28QR-9G9R

Vulnerability from github – Published: 2026-07-10 20:36 – Updated: 2026-07-10 20:36
VLAI
Summary
prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE
Details

Impact

A PHP Object Injection vulnerability affects the PrestaShop module ps_facetedsearch.

The module rebuilds the selected search filters from the request URL. The value of a slider filter (price or weight) is taken from the URL without sufficient validation, then stored in an internal filter-block cache where it is serialized and later read back with a raw native unserialize(). By crafting that value, an attacker can smuggle a malicious serialized PHP object into the cache. When it is deserialized, a gadget chain writes an arbitrary PHP file inside the module directory, which is then used as a webshell to run commands on the server.

Who is impacted

Any shop using a vulnerable version of ps_facetedsearch that displays a filter template containing a slider filter (price or weight). Exploitation is remote and unauthenticated, a single crafted front-office request is enough, and leads to remote code execution and full compromise of the shop and its server.

Affected versions: 3.0.0 through 4.0.3 (all versions since 3.0.0, including the latest release).

Patches

Upgrade the ps_facetedsearch module to the patched version. Upgrading the module is the best action that removes the vulnerability.

Otherwise, you can apply the fix manually in the file src/Filters/Block.php:

In the getFromCache() method, replace the native unserialize() call:

// Before
if (!empty($row)) {
    return unserialize(current($row));
}

// After
if (!empty($row)) {
    return \Tools::unSerialize(current($row));
}

Until the module is upgraded:

  • Remove price and weight slider filters from the filter templates that are exposed on the front office.
  • Clear the faceted-search filter cache, and audit the modules/ps_facetedsearch/ directory for unexpected PHP files.
  • Monitor search requests for PHP serialization patterns (O:, ;i:, references to classes such as Monolog\…) and block them at the WAF level.

Resources

  • Thank you to Frédéric Moreau (Antadis) and Gilles Caudal (Datalinx) for reporting this vulnerability.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "prestashop/ps_facetedsearch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "4.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54159"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-10T20:36:56Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nA PHP Object Injection vulnerability affects the PrestaShop module `ps_facetedsearch`.\n\nThe module rebuilds the selected search filters from the request URL. The value of a slider filter (**price** or **weight**) is taken from the URL without sufficient validation, then stored in an internal filter-block cache where it is serialized and later read back with a raw native `unserialize()`.\nBy crafting that value, an attacker can smuggle a malicious serialized PHP object into the cache. When it is deserialized, a gadget chain writes an arbitrary PHP file inside the module directory, which is then used as a webshell to run commands on the server.\n\n### Who is impacted\n\nAny shop using a vulnerable version of `ps_facetedsearch` that displays a filter template containing a slider filter (price or weight). Exploitation is remote and **unauthenticated**, a single crafted front-office request is enough, and leads to remote code\nexecution and full compromise of the shop and its server.\n\n**Affected versions:** `3.0.0` through `4.0.3` (all versions since 3.0.0, including the latest release).\n\n\n### Patches\n\nUpgrade the `ps_facetedsearch` module to the patched version. Upgrading the module is the best action that removes the vulnerability.\n\nOtherwise, you can apply the fix manually in the file `src/Filters/Block.php`:\n\nIn the `getFromCache()` method, replace the native `unserialize()` call:\n\n```php\n// Before\nif (!empty($row)) {\n    return unserialize(current($row));\n}\n\n// After\nif (!empty($row)) {\n    return \\Tools::unSerialize(current($row));\n}\n```\n\n### Until the module is upgraded:\n\n- Remove price and weight slider filters from the filter templates that are exposed on the\n  front office.\n- Clear the faceted-search filter cache, and audit the `modules/ps_facetedsearch/` directory for\n  unexpected PHP files.\n- Monitor search requests for PHP serialization patterns (`O:`, `;i:`, references to classes such\n  as `Monolog\\\u2026`) and block them at the WAF level.\n\n### Resources\n\n- Thank you to Fr\u00e9d\u00e9ric Moreau (Antadis) and Gilles Caudal (Datalinx) for reporting this vulnerability.",
  "id": "GHSA-m5f5-28qr-9g9r",
  "modified": "2026-07-10T20:36:56Z",
  "published": "2026-07-10T20:36:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PrestaShop/ps_facetedsearch/security/advisories/GHSA-m5f5-28qr-9g9r"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PrestaShop/ps_facetedsearch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…