CVE-2026-25597
MEDIUM
CVSS 5.3
No EPSS data
Description
PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. This vulnerability is fixed in 8.2.4 and 9.0.3.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-25597",
"cveTags": [],
"metrics": {
"cvssMetricV31": [
{
"type": "Secondary",
"source": "security-advisories@github.com",
"cvssData": {
"scope": "UNCHANGED",
"version": "3.1",
"baseScore": 5.3,
"attackVector": "NETWORK",
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"integrityImpact": "NONE",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"availabilityImpact": "NONE",
"privilegesRequired": "NONE",
"confidentialityImpact": "LOW"
},
"impactScore": 1.4,
"exploitabilityScore": 3.9
}
]
},
"published": "2026-02-06T21:16:17.933",
"references": [
{
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.4",
"tags": [
"Product",
"Release Notes"
],
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.0.3",
"tags": [
"Product",
"Release Notes"
],
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-67v7-3g49-mxh2",
"tags": [
"Vendor Advisory"
],
"source": "security-advisories@github.com"
}
],
"vulnStatus": "Analyzed",
"weaknesses": [
{
"type": "Primary",
"source": "security-advisories@github.com",
"description": [
{
"lang": "en",
"value": "CWE-208"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. This vulnerability is fixed in 8.2.4 and 9.0.3."
}
],
"lastModified": "2026-02-19T17:27:30.690",
"configurations": [
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "8E0A201F-4217-4055-AE4E-D82693EEB90E",
"versionEndExcluding": "8.2.4"
},
{
"criteria": "cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "EAE3FA8E-5622-4234-AE14-AD4FE451357C",
"versionEndExcluding": "9.0.3",
"versionStartIncluding": "9.0.0"
}
],
"operator": "OR"
}
]
}
],
"sourceIdentifier": "security-advisories@github.com"
}
}