On June 3, 2026, PrestaShop published a security advisory for the ps_facetedsearch module. The following day, new patch releases followed for both active core branches — 9.1.4 and 8.2.7. The two events are connected: the core releases include additional protections and dependency updates that followed the module disclosure. If you run a PrestaShop store with Faceted Search active, this article covers exactly what you need to do and why it matters.
What happened: the ps_facetedsearch vulnerability
On June 3, 2026, a security advisory (GHSA-m5f5-28qr-9g9r) was published for the official PrestaShop layered navigation module.
The vulnerability allows execution of arbitrary code on the server through specially crafted HTTP requests. Critically, it requires neither an account nor any form of authentication — a publicly accessible store running an affected module version is exposed by default. That is what makes this a high-priority response item rather than a routine update.
Affected versions
The issue is present in ps_facetedsearch from version 3.0.0 through 4.0.3, on any store running PrestaShop 1.7.1.0 or later. Because the module ships with the vast majority of PrestaShop installations and the attack vector is unauthenticated, the affected surface is substantial.
The fix: ps_facetedsearch v4.0.4
The fix is available in ps_facetedsearch v4.0.4, published alongside the advisory. The change is contained in a single commit and closes the identified attack vector.
Apply the update from Back Office → Modules → check for available updates on Faceted Search. If the update does not appear automatically, the module can be downloaded directly from the GitHub releases page and installed manually.
The new core releases: 9.1.4 and 8.2.7
On June 4, 2026, PrestaShop 9.1.4 and PrestaShop 8.2.7 were released. These are maintenance releases for their respective active branches and include:
- updated dependencies related to the disclosed vulnerability in the core context;
- additional bug fixes in the back office and front office accumulated since the previous patch;
- updated Symfony components for the 9.1.x branch.
These releases follow the established PrestaShop pattern: when a security advisory drops for a widely installed module, core releases follow within 24–48 hours with additional defensive layers.
Timeline of security releases from May–June 2026
For full context, here is a summary of the relevant releases over recent weeks:
May 21, 2026 — PrestaShop 9.1.3 Security maintenance release for the 9.1 branch. Symfony was bumped from 6.4.38 to 6.4.40 and Twig to 3.26.0, following coordinated upstream security advisories published on May 20.
April 28, 2026 — PrestaShop 9.1.1 and 8.2.6 Both branches received a simultaneous critical patch addressing a stored Cross-Site Scripting vulnerability in the Back Office Customer Service view (GHSA-w9f3-qc75-qgx9). The issue allowed injection of malicious scripts through customer-submitted messages.
May 19, 2026 — PrestaShop 9.1.2 The first regular maintenance release for the 9.1 branch following the security-only 9.1.1. Over fifty merged pull requests from more than twenty contributors — bug fixes across back office, multishop management, catalog, and updated Symfony components.
June 4, 2026 — PrestaShop 9.1.4 and 8.2.7 The current releases described above.
How to check whether your store was targeted
Updating closes the vulnerability, but if your store ran an affected version of ps_facetedsearch for any length of time, it is worth checking for signs of prior activity.
Connect to your server via FTP or SSH and look for:
- Unexpected PHP files in the
modules/ps_facetedsearch/directory and its subdirectories. The module ships a known set of files — any extra.phpfile you did not install is a warning sign. - Unusual entries in your server access logs, particularly repeated or malformed requests targeting paths under
modules/ps_facetedsearch/.
The Advanced Parameters → Information page in the Back Office shows changed core files, but this check alone is not sufficient to confirm a clean installation.
If you find anything suspicious, do not assume that updating the module is enough. A compromised store requires a proper investigation, rotation of Back Office credentials once the shop is confirmed clean, and a review of all other modules and server access points.
Note for our clients: As part of our monthly support service, we took immediate action within minutes of the official security release and patched the vulnerability for all our regular clients free of charge to ensure their stores remain fully protected.
Recommended steps
- Update ps_facetedsearch to v4.0.4 or later.
- Update core to PrestaShop 9.1.4 (if you are on the 9.1.x branch) or 8.2.7 (if you are on the 8.2.x branch).
- Review the module directory and server access logs for any activity that predates the patch.
- Take a full backup — files and database — before any update.
Updates can be applied via the Update Assistant from the Back Office, or through the standard Composer workflow for developer-managed installations.
FAQ
Do I need to update ps_facetedsearch even if I do not actively use layered navigation? If the module is installed and enabled, yes. Its presence in modules/ps_facetedsearch/ and active status are sufficient for exposure, regardless of whether filters are configured on your category pages.
Does the vulnerability affect PrestaShop 1.7 stores? Yes. Any store running PrestaShop 1.7.1.0 or later with ps_facetedsearch between 3.0.0 and 4.0.3 is affected.
Is updating the module enough, or do I need the core update too? Updating the module to v4.0.4 closes the specific vulnerability. The 9.1.4 and 8.2.7 core releases add further fixes and dependency updates — applying them is recommended but does not replace the module update.
Can I apply the fix manually if I cannot update right now? Yes, the fix commit is publicly available and the change is contained in a single file. Treat it as a bridge and schedule a full update to v4.0.4 within the next day or two.
Sources
- Security update for the Faceted Search module (ps_facetedsearch) — PrestaShop Build Blog, June 3, 2026
- ps_facetedsearch v4.0.4 release — GitHub
- Security advisory GHSA-m5f5-28qr-9g9r — GitHub Security Advisories
- PrestaShop 9.1.3 maintenance release — PrestaShop Build Blog, May 21, 2026
- PrestaShop 9.1.2 maintenance release — PrestaShop Build Blog, May 19, 2026
- PrestaShop 9.1.1 security release — PrestaShop Build Blog, April 28, 2026
- PrestaShop 8.2.6 security release — PrestaShop Build Blog, April 28, 2026