CVE-2026-25597

Published: Feb 6, 2026Modified: Feb 19, 2026

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: security-advisories@github.com (Secondary)

Description

PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. This vulnerability is fixed in 8.2.4 and 9.0.3.

Affected (2)

Products: Prestashop: Prestashop

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Prestashop Prestashop	Before 8.2.4
Prestashop Prestashop	From 9.0.0 to 9.0.3

Related CWEs

Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References (3)

https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.4

Source: security-advisories@github.com

ProductRelease Notes

https://github.com/PrestaShop/PrestaShop/releases/tag/9.0.3

Source: security-advisories@github.com

ProductRelease Notes

https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-67v7-3g49-mxh2

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.