CVE-2026-47742 MEDIUM

CVE-2026-47742: Shopper: Missing authorization on Product admin Livewire sub-form components

Vendor Shopperlabs
Product shopper
Weakness CWE-862 · Missing authorization
Published May 29, 2026
Last update June 1, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files) had no authorization on their store() method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media without holding edit_products. The affected components accepted the product ID as a public Livewire property without #[Locked], so an attacker could also target an arbitrary product by tampering with the wire payload from the client. This vulnerability is fixed in 2.8.0.

Key dates

02Disclosure timeline

May 29, 2026 CVE published
June 1, 2026 Record updated

Related vulnerabilities

04Related CVE