CVE-2026-47744
published 2026-05-29CVE-2026-47744: Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to…
PriorityP262critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.32%
23.8th percentile
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount() authorization. Any authenticated user could load the page and use its public actions to create new roles and delete other users, including administrators. Settings/Team/RolePermission gated its write actions on the read-only view_users permission. Any user holding view_users could grant themselves or any other user arbitrary permissions, including manage_users and edit_orders, effectively escalating to full panel administrator from a read-only account. Combined, these two defects allow a low-privilege authenticated user to obtain administrator privileges and remove the legitimate administrators from the panel. This vulnerability is fixed in 2.8.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shopper | framework | >= 0 < 2.8.0 | 2.8.0 |
| shopperlabs | shopper | < 2.8.0 | 2.8.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Shopper: Authorization bypass and RBAC privilege escalation in team settings
ghsa·2026-06-05
CVE-2026-47744 [CRITICAL] CWE-269 Shopper: Authorization bypass and RBAC privilege escalation in team settings
Shopper: Authorization bypass and RBAC privilege escalation in team settings
## Impact
Two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system:
- `Settings/Team/Index` had no `mount()` authorization. Any authenticated user could load the page and use its public actions to create new roles and delete other users, including administrators.
- `Settings/Team/RolePermission` gated its write actions on the read-only `view_users` permission. Any user holding `view_users` could grant themselves or any other user arbitrary permissions, including `manage_users` and `edit_orders`, effectively escalating to full panel administrator from a read-only account.
Combined, these two defects allow a low-privilege authenticated user to obta
VulDB
shopperlabs shopper up to 2.7.x Setting Settings/Team/Index privileges management
vuldb·2026-05-29·CVSS 9.9
CVE-2026-47744 [CRITICAL] shopperlabs shopper up to 2.7.x Setting Settings/Team/Index privileges management
A vulnerability labeled as critical has been found in shopperlabs shopper up to 2.7.x. Impacted is an unknown function of the file Settings/Team/Index of the component Setting Handler. Such manipulation leads to improper privilege management.
This vulnerability is listed as CVE-2026-47744. The attack may be performed from remote. There is no available exploit.
The affected component should be upgraded.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-29
Published