CVE-2026-39079 PrestaShop CVE debrief

Who should care

Administrators and developers operating PrestaShop sites with the UPSShipping module enabled, especially where module files or logs may be reachable over the web.

Technical summary

The source corpus indicates that all versions of prestashop upsshipping through at least 2.4.0 may expose sensitive information via the /modules/upsshipping/logs/ path and the /modules/upsshipping/lib/UPSBaseApi.php component. The available references do not provide a CVSS vector, exploit steps, or confirmed downstream impact beyond information disclosure, so the most defensible reading is that improperly accessible module content can reveal sensitive data to remote parties.

Defensive priority

High for any internet-facing PrestaShop deployment using UPSShipping, because exposed logs or library files can leak secrets that may enable follow-on compromise.

Recommended defensive actions

• Identify all PrestaShop instances using the UPSShipping module and confirm the installed version.
• Verify that /modules/upsshipping/logs/ and related module files are not publicly accessible from the internet.
• Remove or protect sensitive logs, backups, and configuration files that may contain credentials or API details.
• Update or replace the UPSShipping module once a fixed release is available from the vendor.
• Rotate any secrets, API keys, or tokens that may have been exposed.
• Review web access logs for requests to the affected paths and investigate unusual retrieval activity.

Evidence notes

This debrief is based on the official NVD record and the referenced Esokia advisory URL included in the source corpus. The corpus explicitly states that the issue affects prestashop upsshipping through at least 2.4.0 and that sensitive information may be obtained via /modules/upsshipping/logs/ and /modules/upsshipping/lib/UPSBaseApi.php. No CVSS score, weakness ID, exploit details, confirmed remediation version, or fully settled vendor attribution were supplied.

Official resources