[GHSA-w9f3-qc75-qgx9] PrestaShop has a stored XSS executable in customer service view

advisories/github-reviewed/2026/05/GHSA-w9f3-qc75-qgx9/GHSA-w9f3-qc75-qgx9.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-w9f3-qc75-qgx9",
-  "modified": "2026-05-08T16:54:22Z",
+  "modified": "2026-05-08T16:54:23Z",
   "published": "2026-05-08T16:54:22Z",
   "aliases": [
     "CVE-2026-44212"
   ],
-  "summary": "PrestaShop has a stored XSS executable in customer service view",
-  "details": "### Impact\n\nThis is a **stored Cross-site Scripting (XSS)** vulnerability in the PrestaShop back-office Customer Service view.\n\nAn unauthenticated attacker can submit the public Contact Us form with a malicious email address. The payload is stored in the database and executed when a back-office employee opens the affected customer thread, enabling session hijacking and full back-office takeover.\n\n### Patches\n\nPatched in PrestaShop 8.2.6 and 9.1.1.\n\n### Workarounds\n\nNone.\n\n### Resources\n\n- Reported by Savio at Doyensec (`anthropic@doyensec.com`) in collaboration with Anthropic Research.",
+  "summary": "Credit Attribution Correction: Bani Montoya (B4N1) for original discovery",
+  "details": "### Impact\nThis is a stored Cross-site Scripting (XSS) vulnerability in the PrestaShop back-office Customer Service view.\n\nAn unauthenticated attacker can submit the public Contact Us form with a malicious email address. The payload is stored in the database and executed when a back-office employee opens the affected customer thread, enabling session hijacking and full back-office takeover.\n\n### Patches\nPatched in PrestaShop 8.2.6 and 9.1.1.\n\n### Workarounds\nNone.\n\n### Resources\n- Reported by Savio at Doyensec (anthropic@doyensec.com) in collaboration with Anthropic Research.\n- Independently reported by Bani Montoya (B4N1) on March 30, 2026.",
   "severity": [
     {
       "type": "CVSS_V3",