CVE-2026-54159

PrestaShop ps_facetedsearch PHP Object Injection Leading to Unauthenticated RCE (CVE-2026-54159)

CVE-2026-54159 is a critical (CVSS 10.0) PHP Object Injection vulnerability (CWE-74) in the PrestaShop ps_facetedsearch module (versions >=3.0.0, <4.0.4). The module caches faceted-search filter state using unsafe PHP deserialization of user-controllable input, allowing an unauthenticated attacker to submit a crafted serialized payload that instantiates gadget-chain objects, ultimately leading to arbitrary PHP code execution on the storefront web server. Exploitation requires no authentication and no user interaction, and a public PoC exists (GHSA-m5f5-28qr-9g9r).

Vulnerability Intelligence

Public PoC

Affected Software

Vendor
composer
Product
prestashop/ps_facetedsearch
Versions
>= 3.0.0, < 4.0.4

Weakness (CWE)

Timeline

Disclosed
July 10, 2026

CVSS

10.0
Critical (9.0–10)
Write-up coming soon

What is CVE-2026-54159 PrestaShop ps_facetedsearch PHP Object Injection Leading to Unauthenticated RCE (CVE-2026-54159)?

PrestaShop ps_facetedsearch PHP Object Injection Leading to Unauthenticated RCE (CVE-2026-54159) (CVE-2026-54159) maps to the Initial Access and Execution and Persistence tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for PrestaShop ps_facetedsearch PHP Object Injection Leading to Unauthenticated RCE (CVE-2026-54159), covering the data sources and telemetry it touches: IIS/Apache/Nginx web logs, WAF logs. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence
Microsoft Sentinel / Defender
kusto
let SuspiciousMarkers = dynamic(["O:8:\"","O:9:\"","O:10:\"","php_ext","phar://","__wakeup","__destruct","unserialize"]);
W3CIISLog
| where cs_uri_stem has "module/ps_facetedsearch" or cs_uri_query has "ps_facetedsearch"
| where cs_method == "POST"
| extend DecodedQuery = url_decode(cs_uri_query)
| where DecodedQuery has_any (SuspiciousMarkers) or cs_bytes > 20000
| project TimeGenerated, cIP, csUserAgent=cs_User_Agent, cs_uri_stem, DecodedQuery, sc_status
| sort by TimeGenerated desc

Detects HTTP POST requests to the PrestaShop ps_facetedsearch module endpoint containing PHP serialized-object markers (e.g. O:8:"classname") or phar:// wrapper strings indicative of PHP Object Injection exploitation attempts against CVE-2026-54159.

critical severity medium confidence

Data Sources

IIS/Apache/Nginx web logs WAF logs

Required Tables

W3CIISLog

False Positives

  • Legitimate faceted search filter submissions with unusually large but benign query strings
  • Automated QA/load-testing traffic against the storefront search endpoint
  • Third-party integrations that pass base64-like tokens resembling serialized markers

Sigma rule & cross-platform mapping

The detection logic for PrestaShop ps_facetedsearch PHP Object Injection Leading to Unauthenticated RCE (CVE-2026-54159) (CVE-2026-54159) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate PHP Object Injection payload submission to ps_facetedsearch endpoint

    Expected signal: Web server access log entry showing a POST to /module/ps_facetedsearch/ajax with a request body/query containing 'O:20:"PsFacetedSearchTest"' and 'phar://'.

  2. Test 2Simulate webshell drop artifact following simulated RCE

    Expected signal: File creation event (via FIM/EDR/auditd) for a new .php file under the ps_facetedsearch cache directory, along with corresponding access log entries for the preceding exploitation request.

  3. Test 3Simulate malicious serialized payload with __destruct gadget marker

    Expected signal: Proxy/web log entry capturing the POST request with URL-decoded body containing '__destruct' and '__wakeup' strings targeting the ps_facetedsearch endpoint.

Unlock Pro Content

Get the full detection package for CVE-2026-54159 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections