CVE-2026-54159 Splunk · SPL

Detect PrestaShop ps_facetedsearch PHP Object Injection Leading to Unauthenticated RCE (CVE-2026-54159) in Splunk

CVE-2026-54159 is a critical (CVSS 10.0) PHP Object Injection vulnerability (CWE-74) in the PrestaShop ps_facetedsearch module (versions >=3.0.0, <4.0.4). The module caches faceted-search filter state using unsafe PHP deserialization of user-controllable input, allowing an unauthenticated attacker to submit a crafted serialized payload that instantiates gadget-chain objects, ultimately leading to arbitrary PHP code execution on the storefront web server. Exploitation requires no authentication and no user interaction, and a public PoC exists (GHSA-m5f5-28qr-9g9r).

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

SPL Detection Query

Splunk (SPL)
spl
index=web sourcetype=access_combined OR sourcetype=nginx:plus:access (uri_path="*ps_facetedsearch*" OR uri_query="*ps_facetedsearch*")
| eval decoded_query=urldecode(uri_query)
| rex field=decoded_query "(?<obj_marker>O:\d+:\\\"[A-Za-z0-9_\\\\]+\\\")"
| where isnotnull(obj_marker) OR match(decoded_query, "phar://") OR match(decoded_query, "__wakeup") OR match(decoded_query, "__destruct")
| stats count min(_time) as first_seen max(_time) as last_seen values(uri_path) as paths values(obj_marker) as markers by src_ip, http_user_agent
| sort -count
critical severity medium confidence

Searches Splunk web access logs for POST/GET requests to the ps_facetedsearch module containing PHP serialized object markers or phar:// stream wrapper strings, indicating an attempted PHP Object Injection exploit against CVE-2026-54159.

Data Sources

Web server access logsReverse proxy logs

Required Sourcetypes

access_combinednginx:plus:access

False Positives & Tuning

  • Search engine crawlers submitting malformed but non-malicious query strings
  • Internal vulnerability scanners testing the same endpoint
  • Caching/CDN layer replaying query strings with encoded characters

Other platforms for CVE-2026-54159


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate PHP Object Injection payload submission to ps_facetedsearch endpoint

    Expected signal: Web server access log entry showing a POST to /module/ps_facetedsearch/ajax with a request body/query containing 'O:20:"PsFacetedSearchTest"' and 'phar://'.

  2. Test 2Simulate webshell drop artifact following simulated RCE

    Expected signal: File creation event (via FIM/EDR/auditd) for a new .php file under the ps_facetedsearch cache directory, along with corresponding access log entries for the preceding exploitation request.

  3. Test 3Simulate malicious serialized payload with __destruct gadget marker

    Expected signal: Proxy/web log entry capturing the POST request with URL-decoded body containing '__destruct' and '__wakeup' strings targeting the ps_facetedsearch endpoint.

Unlock Pro Content

Get the full detection package for CVE-2026-54159 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections