CVE-2026-33673 — PrestaShop has multiple stored XSS vulnerabilities via unprotected Template vari

Description

### Impact Multiple stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO: an attacker who can inject data into the database, via limited back-office access or a previously existing vulnerability, can exploit unprotected variables in back-office templates. ### Patches Patched on 8.2.5 and 9.1.0 ### Workarounds None ### References None

How to fix CVE-2026-33673

To remediate CVE-2026-33673, upgrade the affected package to a fixed version below.

—upgrade to 8.2.5 or later
—upgrade to 9.1.0 or later

Is CVE-2026-33673 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 8.2.5, >= 9.0.0, < 9.1.0
>= 9.0.0-alpha.1, < 9.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-33673
PATCHgithub.com/PrestaShop/PrestaShop
WEBgithub.com/PrestaShop/PrestaShop/releases/tag/8.2.5
WEBgithub.com/PrestaShop/PrestaShop/releases/tag/9.1.0
WEB