Shopperlabs Shopper vulnerabilities
5 known vulnerabilities affecting shopperlabs/shopper.
Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH1MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2026-47744P2CRITICALCVSS 9.9fixed in 2.8.02026-05-29
CVE-2026-47744 [CRITICAL] CWE-269 CVE-2026-47744: Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount() authorization. Any authenticated user could load the page and use its public actions to create new roles and delete other users, i
nvd
CVE-2026-47740P3HIGHCVSS 8.1fixed in 2.8.02026-05-29
CVE-2026-47740 [HIGH] CWE-285 CVE-2026-47740: Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel, mark paid, mark complete, capture payment, archive, and start processing were
nvd
CVE-2026-47742P3MEDIUMCVSS 6.5fixed in 2.8.02026-05-29
CVE-2026-47742 [MEDIUM] CWE-862 CVE-2026-47742: Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in t
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files) had no authorization on their store() method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media
nvd
CVE-2026-47745P3MEDIUMCVSS 6.5fixed in 2.8.02026-05-29
CVE-2026-47745 [MEDIUM] CWE-862 CVE-2026-47745: Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, C
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions (enable, disable, edit, delete) that were rendered for any authenticated panel user without checking the corresponding per-action permission. A low-privilege user could disable every
nvd
CVE-2026-47741P4MEDIUMCVSS 5.9fixed in 2.8.02026-05-29
CVE-2026-47741 [MEDIUM] CWE-362 CVE-2026-47741: Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute pre
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's total_use counter. Under concurrent checkout pressure (Black Friday, flash sale, viral coupon), the global usage_limit was silently exceeded: orders were committed with the
nvd