GHSA-m5f5-28qr-9g9r: prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE
A critical PHP Object Injection vulnerability exists in the PrestaShop module ps_facetedsearch versions 3.0.0 through 4.0.3. The vulnerability arises because slider filter values (price or weight) from the URL are insufficiently validated and stored serialized in a cache, which is later unserialized using native PHP unserialize(). An attacker can craft a malicious serialized object to achieve remote code execution without authentication by writing a webshell to the server. This allows full compromise of the affected shop and its hosting server.
AI Analysis
Technical Summary
The ps_facetedsearch module in PrestaShop versions >=3.0.0 <4.0.4 suffers from a PHP Object Injection vulnerability due to unsafe unserialize() usage on user-controlled slider filter values stored in a cache. By sending a specially crafted request with malicious serialized PHP objects in the price or weight slider filter parameters, an unauthenticated attacker can trigger deserialization that writes an arbitrary PHP file (webshell) to the module directory. This leads to remote code execution and full system compromise. The vulnerability affects all shops using the vulnerable module versions with slider filters enabled in the front office.
Potential Impact
Successful exploitation results in unauthenticated remote code execution on the server hosting the PrestaShop instance. This allows an attacker to fully compromise the affected shop and its underlying server, including arbitrary command execution and potential data theft or service disruption.
Mitigation Recommendations
A patch is available by upgrading the ps_facetedsearch module to version 4.0.4 or later, which replaces the unsafe native unserialize() call with a safer alternative. Until the module is upgraded, remove price and weight slider filters from front-office filter templates, clear the faceted-search filter cache, and audit the module directory for unexpected PHP files. Additionally, monitor and block search requests containing PHP serialization patterns at the WAF level. Applying the official module upgrade is the recommended and most effective remediation.
GHSA-m5f5-28qr-9g9r: prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE
Description
A critical PHP Object Injection vulnerability exists in the PrestaShop module ps_facetedsearch versions 3.0.0 through 4.0.3. The vulnerability arises because slider filter values (price or weight) from the URL are insufficiently validated and stored serialized in a cache, which is later unserialized using native PHP unserialize(). An attacker can craft a malicious serialized object to achieve remote code execution without authentication by writing a webshell to the server. This allows full compromise of the affected shop and its hosting server.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The ps_facetedsearch module in PrestaShop versions >=3.0.0 <4.0.4 suffers from a PHP Object Injection vulnerability due to unsafe unserialize() usage on user-controlled slider filter values stored in a cache. By sending a specially crafted request with malicious serialized PHP objects in the price or weight slider filter parameters, an unauthenticated attacker can trigger deserialization that writes an arbitrary PHP file (webshell) to the module directory. This leads to remote code execution and full system compromise. The vulnerability affects all shops using the vulnerable module versions with slider filters enabled in the front office.
Potential Impact
Successful exploitation results in unauthenticated remote code execution on the server hosting the PrestaShop instance. This allows an attacker to fully compromise the affected shop and its underlying server, including arbitrary command execution and potential data theft or service disruption.
Mitigation Recommendations
A patch is available by upgrading the ps_facetedsearch module to version 4.0.4 or later, which replaces the unsafe native unserialize() call with a safer alternative. Until the module is upgraded, remove price and weight slider filters from front-office filter templates, clear the faceted-search filter cache, and audit the module directory for unexpected PHP files. Additionally, monitor and block search requests containing PHP serialization patterns at the WAF level. Applying the official module upgrade is the recommended and most effective remediation.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-m5f5-28qr-9g9r
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-54159"]
- Ecosystems
- ["Packagist"]
- Database Specific Severity
- CRITICAL
- Cvss Version
- 3.1
Threat ID: 6a520eb368715ace438f514a
Added to database: 07/11/2026, 09:36:51 UTC
Last enriched: 07/11/2026, 09:49:03 UTC
Last updated: 07/11/2026, 09:49:03 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.