CVE-2022-21686 CRITICAL

CVE-2022-21686: Server Side Twig Template Injection in PrestaShop

Vendor Prestashop
Product PrestaShop
Weakness CWE-94 · Code injection
Published January 26, 2022
Last update April 23, 2025

CVSS base score

9.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds.

Key dates

02Disclosure timeline

January 26, 2022 CVE published
April 23, 2025 Record updated