PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-54159 PrestaShop CVE debrief

The CVE-2026-54159 vulnerability affects PrestaShop's ps_facetedsearch module, versions 3.0.0 to 4.0.4. An unauthenticated attacker can inject a malicious serialized PHP object into the cache, leading to arbitrary PHP file creation and potential code execution. This issue is a critical vulnerability that can be exploited to run commands on the server. Users of PrestaShop's ps_facetedsearch module should be aware of this vulnerability and take immediate action to update to version 4.0.4 or apply necessary patches.

Vendor
PrestaShop
Product
ps_facetedsearch
CVSS
CRITICAL 10
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of PrestaShop's ps_facetedsearch module, especially those with versions between 3.0.0 and 4.0.4, should be aware of this critical vulnerability and take immediate action to update to version 4.0.4 or apply necessary patches. Affected operators, platform administrators, vulnerability management teams, and security teams should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.

Technical summary

The ps_facetedsearch module rebuilds selected search filters from the request URL without sufficient validation. The value of a slider filter, price or weight, is taken from the URL and stored in an internal filter-block cache. This value is serialized and later read back with a raw native unserialize() in src/Filters/Block.php. By crafting this value, an attacker can smuggle a malicious serialized PHP object into the cache. When deserialized, a gadget chain writes an arbitrary PHP file inside the modules/ps_facetedsearch/ directory, which can be used as a webshell to run commands on the server.

Defensive priority

High

Recommended defensive actions

  • Update ps_facetedsearch module to version 4.0.4 or later
  • Review and validate user input for search filters
  • Implement additional security measures to prevent PHP object injection
  • Monitor for suspicious activity and potential webshell creation
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-17T21:17:07.963Z and has not been modified since then. The NVD entry is currently being reviewed. Limited source detail is available, and defenders should verify the affected scope and severity with the official CVE record and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T21:17:07.963Z and has not been modified since then.