Release 26.05.2026 AddonsHub

PrestaShop 9.1.1 Now Available: Critical Security Update

PrestaShop has officially released version 9.1.1, which includes a critical security patch. It is strongly recommended that all users update their installations as soon as possible.

PrestaShop 9.1.1 Now Available: Critical Security Update
#prestashop #development #release
PrestaShop has officially released version 9.1.1, which includes a critical security patch for the 9.1 branch. This update addresses a stored Cross-Site Scripting (XSS) vulnerability found in the back office Customer Service view (Identifier: GHSA-w9f3-qc75-qgx9). Given the severity of this issue, it is strongly recommended that all users update their installations as soon as possible.
Security Fix Details
The vulnerability has been rated as Critical with a severity score of 9.3/10 (CWE-79). Full technical details regarding the attack vector are documented in the security advisory. Additionally, this issue has also been addressed in PrestaShop version 8.2.6, which was released simultaneously.
How to Update to PrestaShop 9.1.1
Updating your PrestaShop store to version 9.1.1 is highly recommended. You can utilize the Update Assistant for a seamless upgrade process. Before proceeding with the update, ensure that you create a full backup of your database and files.
If you are unable to update immediately, there are two alternative methods to mitigate the vulnerability:
Option 1: Install the Hotfix Module
Download the latest release of the hotfix module pshotfix_ghsaw9f3qc75qgx9 and upload the ZIP file via Modules > Module Manager > Upload a module. This module will automatically back up the vulnerable template and apply the necessary fix. It is compatible with PrestaShop versions 1.7, 8.x, and 9.x.
Option 2: Apply the Fix Manually (Advanced Users)
For those comfortable with code, the fix consists of two parts:
Part 1: Escape the Email in the Customer Threads Template
The vulnerability arises from the rendering of a customer thread email value in the back office without HTML escaping. To fix this, locate the file:
{YOUR_ADMIN_DIR}/themes/default/template/controllers/customer_threads/helpers/view/view.tpl
Replace occurrences of {$thread->email} with:
{$thread->email|escape:'html':'UTF-8'}
Part 2: Tighten Email Validation in `classes/Validate.php`
Modify the isEmail() method in classes/Validate.php to switch from 'loose' to 'strict' mode for email validation. This change will help reject potentially harmful email formats before they are stored.
Download PrestaShop 9.1.1
You can download PrestaShop 9.1.1 now!
A
AddonsHub
Autor wpisu · AddonsHub

Podobne wpisy

PrestaShop 9.1.3 Now Available
27.05.2026
PrestaShop 9.1.2 Now Available: A Maintenance Release
27.05.2026

Wszystkie wpisy

Wróć do bloga