Skip to content
Tools / PrestaShop / Security

Security Deep Dive

PrestaShop

Security posture and CVE patch evidence from tracked releases.

Back to Tool

1 actively-exploited dependency CVE affects 9.1.3.

KEV-listed CVEs are confirmed exploited in the wild — patch urgently.

Versions by Severity

CVEs are attributed to tracked releases published before the patch release.

8 versions tracked
Version Published C H M L KEV Notes
9.1.3 2026-05-21
Latest
9.1.2 2026-05-19
Patches CVE-2020-11023
8.2.6 2026-04-27 1 KEV 1
9.1.1 2026-04-27 1 KEV 1
9.1.0 2026-03-23 1 KEV 1
8.2.5 2026-03-23 1 KEV 1
9.0.3 2026-02-03 1 KEV 1
8.2.4 2026-02-03 1 KEV 1
— Signed — SLSA — SBOM ✗ Security policy Weekly cadence · 2d median Active maintainer

Trust Signals — 2 of 9 Present

Evidence already collected from releases and repository metadata.

2/9 Present
Signed releases Unknown
Latest release artifact signature Latest release
SLSA provenance Unknown
Attestation predicate level Latest release
SBOM published Unknown
GitHub SBOM API Latest release
SECURITY.md Absent
GitHub repository metadata Repository policy
Checked: 22d ago
Release cadence: weekly Present
2d median over recent releases Release history
Latest release: 13d ago
Maintainer active Present
Recent commit activity Repository
Last commit: 1d ago
Checksums (SHA256SUMS) Not active yet
SHA256SUMS or equivalent Release asset
Latest release: 13d ago
GitHub Actions attestation Not active yet
actions/attest-build-provenance Workflow file
Latest release: 13d ago
Signing assets Not active yet
.sig, .crt, cosign.pub, or similar Release asset
Latest release: 13d ago
0.4/10 Security Score
4.2/10 Scorecard
Dependency Exposure 179 transitive dependency CVEs found in the latest SBOM. 6 critical.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.25 / 0.5

Max EPSS 0.347

freshness

1.00 / 1.0

1d stale

scorecard

1.68 / 4.0

Score 4.2/10

cve health

0.00 / 2.5

⚠ No direct scan — 6c/81h transitive CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

-1.50 / 1.5

KEV exposure detected

supply chain risk

-1.50 / 10.0

Risk 100.0/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: clear cve scan: estimated

Release responsiveness

release responsiveness

10.0

5%

patch speed days: no_history

Dependency exposure

dependency exposure

0.0

10%

supply chain risk: 100.0 transitive cves: 6c/81h

Provenance trust

provenance trust

4.2

40%

scorecard score: 4.2 openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 1d

Operational risk

operational risk

1.5

10%

kev exposure: detected epss max: 0.347
How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 100.0/100
6 Transitive critical CVEs
1 KEV-transitive CVEs
52% Dependency freshness

Scorecard

Scorecard 4.2/10

OpenSSF Scorecard evaluates supply-chain security practices automatically. Score ≥ 6 is passing; ≥ 8 is excellent.

Check Score Reason
Maintained 10 30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Code-Review 10 all changesets reviewed
Security-Policy 10 security policy file detected
CII-Best-Practices 0 no effort to earn an OpenSSF best practices badge detected
Packaging -1 packaging workflow not detected
Dangerous-Workflow 0 dangerous workflow patterns detected
License 9 license file detected
Token-Permissions 0 detected GitHub workflow tokens with excessive permissions
Branch-Protection -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases 0 Project has not signed or included provenance with any releases.
Binary-Artifacts 10 no binaries found in the repo
Pinned-Dependencies 2 dependency not pinned by hash detected -- score normalized to 2
Fuzzing 0 project is not fuzzed
SAST 0 SAST tool is not run on all commits -- score normalized to 0

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

CVE Patch History

Tracks CVEs that were addressed in tagged releases. Shorter gap between disclosure and patch = faster response. EPSS = predicted probability of exploitation in next 30 days (FIRST.org); colored at ≥90%ile and ≥50%ile.

CVEs Patched by Year

Critical High Medium Low
2026
1
CVE Severity EPSS Disclosed Fixed in Days to fix vs Ecosystem Median KEV
CVE-2020-11023 MEDIUM 97%ile 9.1.2 KEV

KEV = CISA Known Exploited Vulnerabilities catalog — actively exploited in the wild.

Dependency Vulnerabilities

3413 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

6

High

78

Medium

76

Low

19

Unknown

0

1 dependency vulnerabilities are in KEV.

CISA confirmed these vulnerabilities are actively exploited. Treat as critical priority.

Still affecting latest (179) All (190)
Critical 6 High 78 Medium 76 Low 19
CVE Severity KEV Dependency Affected version Cleared in release
CVE-2023-45133 critical @babel/traverse 7.16.3 9.1.2
CVE-2024-27448 critical maildev 2.1.0 9.1.2
CVE-2024-48910 critical dompurify 2.4.0 9.1.2
CVE-2025-7783 critical form-data 4.0.0 9.1.2
CVE-2026-25896 critical fast-xml-parser 5.0.9 9.1.2
CVE-2026-34084 critical phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2021-23337 high lodash.template 4.5.0 9.1.2
CVE-2021-32610 high pear/archive_tar 1.4.13 9.1.2
CVE-2022-25883 high semver 6.3.0 9.1.2
CVE-2022-29221 high smarty/smarty 3.1.43 9.1.2
CVE-2022-29248 high guzzlehttp/guzzle 7.3.0 9.1.2
CVE-2022-31042 high guzzlehttp/guzzle 7.3.0 9.1.2
CVE-2022-31090 high guzzlehttp/guzzle 7.3.0 9.1.2
CVE-2022-31091 high guzzlehttp/guzzle 7.3.0 9.1.2
CVE-2022-31101 high prestashop/blockwishlist 2.0.1 9.1.2
CVE-2022-39261 high twig/twig 3.3.8 9.1.2
CVE-2023-28447 high smarty/smarty 3.1.43 9.1.2
CVE-2023-30533 high xlsx 0.18.5 9.1.2
CVE-2024-21536 high http-proxy-middleware 2.0.6 9.1.2
CVE-2024-21538 high cross-spawn 7.0.3 9.1.2
CVE-2024-22363 high xlsx 0.18.5 9.1.2
CVE-2024-35226 high smarty/smarty 3.1.43 9.1.2
CVE-2024-37890 high ws 8.11.0 9.1.2
CVE-2024-4068 high braces 3.0.2 9.1.2
CVE-2024-4367 high pdfjs-dist 3.6.172 9.1.2
CVE-2024-45048 high phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2024-45290 high phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2024-45293 high phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2024-45296 high path-to-regexp 0.1.7 9.1.2
CVE-2024-45590 high body-parser 1.20.1 9.1.2
CVE-2024-45801 high dompurify 2.4.0 9.1.2
CVE-2024-47873 high phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2024-47875 high dompurify 2.4.0 9.1.2
CVE-2024-48917 high phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2024-51736 high symfony/symfony 4.4.32 9.1.2
CVE-2024-52798 high path-to-regexp 0.1.10 9.1.2
CVE-2024-56365 high phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2024-56366 high phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2024-56408 high phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2024-56409 high phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2024-56521 high tecnickcom/tcpdf 6.4.1 9.1.2
CVE-2024-56522 high tecnickcom/tcpdf 6.4.1 9.1.2
CVE-2025-12816 high node-forge 1.3.1 9.1.2
CVE-2025-14874 high nodemailer 6.7.3 9.1.2
CVE-2025-54370 high phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2025-59288 high playwright 1.48.2 9.1.2
CVE-2025-64500 high symfony/symfony 4.4.32 9.1.2
CVE-2025-66031 high node-forge 1.3.1 9.1.2
CVE-2026-23745 high tar 6.2.1 9.1.2
CVE-2026-23950 high tar 6.2.1 9.1.2
CVE-2026-24765 high phpunit/phpunit 8.5.16 9.1.2
CVE-2026-24842 high tar 6.2.1 9.1.2
CVE-2026-25128 high fast-xml-parser 5.0.9 9.1.2
CVE-2026-26278 high fast-xml-parser 5.0.9 9.1.2
CVE-2026-26960 high tar 6.2.1 9.1.2
CVE-2026-26996 high minimatch 3.1.2 9.1.2
CVE-2026-27903 high minimatch 3.1.2 9.1.2
CVE-2026-27904 high minimatch 3.1.2 9.1.2
CVE-2026-29063 high immutable 4.1.0 9.1.2
CVE-2026-29786 high tar 6.2.1 9.1.2
CVE-2026-31802 high tar 6.2.1 9.1.2
CVE-2026-32141 high flatted 3.2.7 9.1.2
CVE-2026-33036 high fast-xml-parser 5.0.9 9.1.2
CVE-2026-33151 high socket.io-parser 4.2.4 9.1.2
CVE-2026-33228 high flatted 3.2.7 9.1.2
CVE-2026-33671 high picomatch 2.3.1 9.1.2
CVE-2026-33891 high node-forge 1.3.1 9.1.2
CVE-2026-33894 high node-forge 1.3.1 9.1.2
CVE-2026-33895 high node-forge 1.3.1 9.1.2
CVE-2026-33896 high node-forge 1.3.1 9.1.2
CVE-2026-34601 high @xmldom/xmldom 0.9.5 9.1.2
CVE-2026-40863 high phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2026-40902 high phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2026-41672 high @xmldom/xmldom 0.9.5 9.1.2
CVE-2026-41673 high @xmldom/xmldom 0.9.5 9.1.2
CVE-2026-41674 high @xmldom/xmldom 0.9.5 9.1.2
CVE-2026-41675 high @xmldom/xmldom 0.9.5 9.1.2
CVE-2026-44728 high @babel/plugin-transform-modules-systemjs 7.25.0 9.1.2
CVE-2026-4800 high lodash 4.17.21 9.1.2
CVE-2026-4800 high lodash.template 4.5.0 9.1.2
CVE-2026-4867 high path-to-regexp 0.1.10 9.1.2
CVE-2026-6321 high fast-uri 3.0.2 9.1.2
CVE-2026-6322 high fast-uri 3.0.2 9.1.2
GHSA-5c6j-r48x-rmvq high serialize-javascript 6.0.2 9.1.2
CVE-2015-9251 medium jquery 2.2.4 9.1.2
CVE-2018-25047 medium smarty/smarty 3.1.43 9.1.2
CVE-2019-11358 medium jquery 2.2.4 9.1.2
CVE-2020-11022 medium jquery 2.2.4 9.1.2
CVE-2020-11023 medium KEV jquery 2.2.4 9.1.3
CVE-2021-23382 medium postcss 6.0.23 9.1.2
CVE-2021-29060 medium color-string 0.3.0 9.1.2
CVE-2021-41270 medium symfony/symfony 4.4.32 9.1.2
CVE-2022-24775 medium guzzlehttp/psr7 1.8.2 9.1.2
CVE-2022-24894 medium symfony/symfony 4.4.32 9.1.2
CVE-2022-24895 medium symfony/symfony 4.4.32 9.1.2
CVE-2022-35933 medium prestashop/productcomments 5.0.1 9.1.2
CVE-2023-26115 medium word-wrap 1.2.3 9.1.2
CVE-2023-26136 medium tough-cookie 4.1.2 9.1.2
CVE-2023-29197 medium guzzlehttp/psr7 1.8.2 9.1.2
CVE-2023-44270 medium postcss 6.0.23 9.1.2
CVE-2023-46734 medium symfony/symfony 4.4.32 9.1.2
CVE-2023-47109 medium prestashop/blockreassurance 5.1.1 9.1.2
CVE-2023-47110 medium prestashop/blockreassurance 5.1.1 9.1.2
CVE-2024-22640 medium tecnickcom/tcpdf 6.4.1 9.1.2
CVE-2024-29041 medium express 4.18.2 9.1.2
CVE-2024-32489 medium tecnickcom/tcpdf 6.4.1 9.1.2
CVE-2024-38355 medium socket.io 4.6.0 9.1.2
CVE-2024-4067 medium micromatch 4.0.5 9.1.2
CVE-2024-45046 medium phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2024-45060 medium phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2024-45291 medium phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2024-45292 medium phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2024-45411 medium twig/twig 3.3.8 9.1.2
CVE-2024-51058 medium tecnickcom/tcpdf 6.4.1 9.1.2
CVE-2024-55565 medium nanoid 3.3.7 9.1.2
CVE-2024-56410 medium phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2024-56411 medium phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2024-56412 medium phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2024-56519 medium tecnickcom/tcpdf 6.4.1 9.1.2
CVE-2024-56527 medium tecnickcom/tcpdf 6.4.1 9.1.2
CVE-2024-6485 medium bootstrap 3.4.1 9.1.2
CVE-2025-13033 medium nodemailer 6.7.3 9.1.2
CVE-2025-13465 medium lodash 4.17.21 9.1.2
CVE-2025-15284 medium qs 6.13.0 9.1.2
CVE-2025-1647 medium bootstrap 3.4.1 9.1.2
CVE-2025-22131 medium phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2025-23210 medium phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2025-24027 medium prestashop/ps_contactinfo 3.3.0 9.1.2
CVE-2025-26791 medium dompurify 2.4.0 9.1.2
CVE-2025-27789 medium @babel/runtime 7.25.6 9.1.2
CVE-2025-27789 medium @babel/helpers 7.25.6 9.1.2
CVE-2025-30359 medium webpack-dev-server 5.1.0 9.1.2
CVE-2025-30360 medium webpack-dev-server 5.1.0 9.1.2
CVE-2025-32996 medium http-proxy-middleware 2.0.6 9.1.2
CVE-2025-32997 medium http-proxy-middleware 2.0.6 9.1.2
CVE-2025-64718 medium js-yaml 4.1.0 9.1.2
CVE-2025-66030 medium node-forge 1.3.1 9.1.2
CVE-2025-69873 medium ajv 8.17.1 9.1.2
CVE-2026-24739 medium symfony/symfony 4.4.32 9.1.2
CVE-2026-2950 medium lodash 4.17.21 9.1.2
CVE-2026-33349 medium fast-xml-parser 5.0.9 9.1.2
CVE-2026-33532 medium yaml 1.10.2 9.1.2
CVE-2026-33672 medium picomatch 2.3.1 9.1.2
CVE-2026-33750 medium brace-expansion 1.1.11 9.1.2
CVE-2026-34043 medium serialize-javascript 6.0.2 9.1.2
CVE-2026-35453 medium phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2026-40296 medium phpoffice/phpspreadsheet 1.17.1 9.1.2
CVE-2026-41239 medium dompurify 2.4.0 9.1.2
CVE-2026-41240 medium dompurify 2.4.0 9.1.2
CVE-2026-41305 medium postcss 6.0.23 9.1.2
CVE-2026-41650 medium fast-xml-parser 5.0.9 9.1.2
GHSA-39q2-94rc-95cp medium dompurify 2.4.0 9.1.2
GHSA-67mh-4wv8-2f99 medium esbuild 0.16.17 9.1.2
GHSA-9h6g-pr28-7cqp medium nodemailer 6.7.3 9.1.2
GHSA-cj63-jhhr-wcxv medium dompurify 2.4.0 9.1.2
GHSA-cjmm-f4jc-qw8r medium dompurify 2.4.0 9.1.2
GHSA-h8r8-wccr-v5f2 medium dompurify 2.4.0 9.1.2
GHSA-r4q5-vmmm-2653 medium follow-redirects 1.15.6 9.1.2
GHSA-v78c-4p63-2j6c medium moment-timezone 0.4.1 9.1.2
GHSA-vvjj-xcjg-gr5g medium nodemailer 6.7.3 9.1.2
CVE-2024-43796 low express 4.18.2 9.1.2
CVE-2024-43799 low send 0.18.0 9.1.2
CVE-2024-43800 low serve-static 1.15.0 9.1.2
CVE-2024-47764 low cookie 0.6.0 9.1.2
CVE-2024-50342 low symfony/symfony 4.4.32 9.1.2
CVE-2024-50343 low symfony/symfony 4.4.32 9.1.2
CVE-2024-51754 low twig/twig 3.3.8 9.1.2
CVE-2024-51755 low twig/twig 3.3.8 9.1.2
CVE-2024-9506 low vue 2.7.16 9.1.2
CVE-2025-5889 low brace-expansion 1.1.11 9.1.2
CVE-2025-68157 low webpack 5.95.0 9.1.2
CVE-2025-68458 low webpack 5.95.0 9.1.2
CVE-2025-7339 low on-headers 1.0.2 9.1.2
CVE-2026-2391 low qs 6.13.0 9.1.2
CVE-2026-24001 low diff 4.0.2 9.1.2
CVE-2026-27942 low fast-xml-parser 5.0.9 9.1.2
CVE-2026-3449 low @tootallnate/once 2.0.0 9.1.2
GHSA-56x4-j7p9-fcf9 low moment-timezone 0.4.1 9.1.2
GHSA-c7w3-x93f-qmm8 low nodemailer 6.7.3 9.1.2

Showing 179 of 190

Beta — feedback welcome: [email protected]