CVE-2026-33673
PrestaShop has multiple stored XSS vulnerabilities via unprotected Template variablesPrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously existing vulnerability, can exploit unprotected variables in back-office templates. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available.
We have discovered 1,830 live websites that are affected by CVE-2026-33673.
Affected Software
| Product |  PrestaShop |
| Category | Ecommerce |
| Vulnerable Domains | 1,830 live websites (100% of PrestaShop install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 89 versions ( 97% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Mar 26, 2026
- Updated - Mar 27, 2026
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-33673 United States | 174 websites |
 Spain | 414 websites |
 France | 385 websites |
 Iran | 130 websites |
 Germany | 114 websites |
 Italy | 72 websites |
 Poland | 71 websites |
 Czech Republic | 38 websites |
 Chile | 37 websites |
 Norway | 34 websites |
Website Distribution by TLD
Number of websites using CVE-2026-33673| .com | 798 websites |
| .es | 195 websites |
| .fr | 157 websites |
| .pl | 62 websites |
| .it | 61 websites |
| .cz | 28 websites |
| .de | 25 websites |
| .eu | 23 websites |
| .nl | 22 websites |
| .net | 21 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-33673
Top websites that are affected by CVE-2026-33673. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **********.de | Germany | ***,*** | |
| *******.de | Germany | ***,*** | |
| ***********.pl | Poland | ***,*** | |
| **************.com | Spain | ***,*** | |
| *******.com | United States | ***,*** | |
| **********.fr | France | ***,*** | |
| **********.com | France | ***,*** | |
| ***********.com | France | ***,*** | |
| *************.es | Spain | ***,*** | |
| *******.com | France | ***,*** |
FAQ
CVE-2026-33673 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in PrestaShop
A total of 1,830 websites have been identified as vulnerable to CVE-2026-33673, based on global website indexing conducted by WebTechSurvey.
The PrestaShop is affected by the CVE-2026-33673 vulnerability.
PrestaShop versions up to 9.1 are vulnerable to CVE-2026-33673.
CVE-2026-33673 is resolved in version 9.1 of PrestaShop.