CVE-2026-47741

Published: Mag 29, 2026 Last Modified: Mag 29, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 5,9
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: high
Availability: none

Description

AI Translation Available

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's total_use counter. Under concurrent checkout pressure (Black Friday, flash sale, viral coupon), the global usage_limit was silently exceeded: orders were committed with the discount fully applied to price_amount while the counter blocked at usage_limit. The merchant had no signal that an over-redemption had occurred. This vulnerability is fixed in 2.8.0.

362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Draft
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Availability Confidentiality Integrity Access Control
Potential Impacts:
Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other) Dos: Crash, Exit, Or Restart Dos: Instability Read Files Or Directories Read Application Data Execute Unauthorized Code Or Commands Gain Privileges Or Assume Identity Bypass Protection Mechanism
Applicable Platforms
Languages: C, C++, Java
Technologies: Mobile, ICS/OT
Likelihood of Exploit: Medium
View CWE Details
https://github.com/shopperlabs/shopper/issues/510
https://github.com/shopperlabs/shopper/issues/510
https://github.com/shopperlabs/shopper/issues/510
https://github.com/shopperlabs/shopper/issues/510
https://github.com/shopperlabs/shopper/pull/511
https://github.com/shopperlabs/shopper/pull/511
https://github.com/shopperlabs/shopper/security/advisories/…
https://github.com/shopperlabs/shopper/security/advisories/GHSA-9rh9-hf3w-9fgg