Discount Over-Redemption Vulnerability in Shopper E-commerce Admin Panel
CVE-2026-47741

5.9MEDIUM

Key Information:

Vendor

Shopperlabs

Status
Shopper
Vendor
CVE Published:
29 May 2026

What is CVE-2026-47741?

The Shopper E-commerce Admin Panel, prior to version 2.8.0, exposed merchants to a serious risk during high-traffic events such as Black Friday sales. The vulnerability arises from a flaw in the CreateOrderFromCartAction::execute method, where the system creates order entries before accurately checking and updating the discount's total usage counter. Under conditions of concurrent checkouts, this flaw could lead to the global discount usage limit being exceeded without the merchant's knowledge. Orders could be processed with discounts fully applied even after the limitations had been breached, leaving businesses susceptible to significant financial losses. This issue has been addressed in version 2.8.0.

Affected Version(s)

shopper < 2.8.0

References

https://github.com/shopperlabs/shopper/security/advisorie...
x_refsource_CONFIRM
https://github.com/shopperlabs/shopper/issues/510
x_refsource_MISC
https://github.com/shopperlabs/shopper/pull/511
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.