[GHSA-w9f3-qc75-qgx9] PrestaShop has a stored XSS executable in customer service view

[BaniMontoya]

Updates

• Description
• Summary

Comments
I am requesting researcher attribution for the original discovery of this Stored XSS vector. I submitted a full technical report to PrestaShop on March 30, 2026, which was formally acknowledged by their security team on the same day.

My submission was highly specific: it identified the improper output escaping in AddressFormat::generateAddress and precisely detailed how this leads to session hijacking in the Back-office. Most importantly, I provided the exact remediation that was eventually implemented in version 8.2.6 (|escape:'html':'UTF-8').

Despite being the first to provide the technical breakdown and the fix, my name was omitted from the advisory. I am requesting my inclusion to accurately reflect the discovery timeline and the professional contribution I provided to protect PrestaShop users. I am prepared to provide full email headers and logs as evidence to the GitHub Curation team.

[github]

Hi there @matthieu-rolland! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory