GHSA-M5F5-28QR-9G9R
Vulnerability from github – Published: 2026-07-10 20:36 – Updated: 2026-07-10 20:36Impact
A PHP Object Injection vulnerability affects the PrestaShop module ps_facetedsearch.
The module rebuilds the selected search filters from the request URL. The value of a slider filter (price or weight) is taken from the URL without sufficient validation, then stored in an internal filter-block cache where it is serialized and later read back with a raw native unserialize().
By crafting that value, an attacker can smuggle a malicious serialized PHP object into the cache. When it is deserialized, a gadget chain writes an arbitrary PHP file inside the module directory, which is then used as a webshell to run commands on the server.
Who is impacted
Any shop using a vulnerable version of ps_facetedsearch that displays a filter template containing a slider filter (price or weight). Exploitation is remote and unauthenticated, a single crafted front-office request is enough, and leads to remote code
execution and full compromise of the shop and its server.
Affected versions: 3.0.0 through 4.0.3 (all versions since 3.0.0, including the latest release).
Patches
Upgrade the ps_facetedsearch module to the patched version. Upgrading the module is the best action that removes the vulnerability.
Otherwise, you can apply the fix manually in the file src/Filters/Block.php:
In the getFromCache() method, replace the native unserialize() call:
// Before
if (!empty($row)) {
return unserialize(current($row));
}
// After
if (!empty($row)) {
return \Tools::unSerialize(current($row));
}
Until the module is upgraded:
- Remove price and weight slider filters from the filter templates that are exposed on the front office.
- Clear the faceted-search filter cache, and audit the
modules/ps_facetedsearch/directory for unexpected PHP files. - Monitor search requests for PHP serialization patterns (
O:,;i:, references to classes such asMonolog\…) and block them at the WAF level.
Resources
- Thank you to Frédéric Moreau (Antadis) and Gilles Caudal (Datalinx) for reporting this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "prestashop/ps_facetedsearch"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "4.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54159"
],
"database_specific": {
"cwe_ids": [
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-10T20:36:56Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Impact\n\nA PHP Object Injection vulnerability affects the PrestaShop module `ps_facetedsearch`.\n\nThe module rebuilds the selected search filters from the request URL. The value of a slider filter (**price** or **weight**) is taken from the URL without sufficient validation, then stored in an internal filter-block cache where it is serialized and later read back with a raw native `unserialize()`.\nBy crafting that value, an attacker can smuggle a malicious serialized PHP object into the cache. When it is deserialized, a gadget chain writes an arbitrary PHP file inside the module directory, which is then used as a webshell to run commands on the server.\n\n### Who is impacted\n\nAny shop using a vulnerable version of `ps_facetedsearch` that displays a filter template containing a slider filter (price or weight). Exploitation is remote and **unauthenticated**, a single crafted front-office request is enough, and leads to remote code\nexecution and full compromise of the shop and its server.\n\n**Affected versions:** `3.0.0` through `4.0.3` (all versions since 3.0.0, including the latest release).\n\n\n### Patches\n\nUpgrade the `ps_facetedsearch` module to the patched version. Upgrading the module is the best action that removes the vulnerability.\n\nOtherwise, you can apply the fix manually in the file `src/Filters/Block.php`:\n\nIn the `getFromCache()` method, replace the native `unserialize()` call:\n\n```php\n// Before\nif (!empty($row)) {\n return unserialize(current($row));\n}\n\n// After\nif (!empty($row)) {\n return \\Tools::unSerialize(current($row));\n}\n```\n\n### Until the module is upgraded:\n\n- Remove price and weight slider filters from the filter templates that are exposed on the\n front office.\n- Clear the faceted-search filter cache, and audit the `modules/ps_facetedsearch/` directory for\n unexpected PHP files.\n- Monitor search requests for PHP serialization patterns (`O:`, `;i:`, references to classes such\n as `Monolog\\\u2026`) and block them at the WAF level.\n\n### Resources\n\n- Thank you to Fr\u00e9d\u00e9ric Moreau (Antadis) and Gilles Caudal (Datalinx) for reporting this vulnerability.",
"id": "GHSA-m5f5-28qr-9g9r",
"modified": "2026-07-10T20:36:56Z",
"published": "2026-07-10T20:36:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/PrestaShop/ps_facetedsearch/security/advisories/GHSA-m5f5-28qr-9g9r"
},
{
"type": "PACKAGE",
"url": "https://github.com/PrestaShop/ps_facetedsearch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.