CVE-2026-47742

Description

## Impact Sub-form Livewire components used in the product editor (`Edit`, `Inventory`, `Seo`, `Shipping`, `Files`) had no authorization on their `store()` method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media without holding `edit_products`. The affected components accepted the product ID as a public Livewire property without `#[Locked]`, so an attacker could also target an arbitrary product by tampering with the wire payload from the client. ## Patches Fixed in `v2.8.0`. Each sub-form `store()` now authorizes against `edit_products` and the product binding is locked. Upgrade via: ```bash composer require shopper/admin:^2.8 ``` ## Workarounds None. Upgrade to `v2.8.0`. ## References - Pull request: https://github.com/shopperlabs/shopper/pull/511 - CWE-862 Missing Authorization

How to fix CVE-2026-47742

To remediate CVE-2026-47742, upgrade the affected package to a fixed version below.

• —upgrade to 2.8.0 or later

Is CVE-2026-47742 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-47742.

Affected packages (1)

• from 0, < 2.8.0

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-47742
• PATCHgithub.com/shopperlabs/shopper
• WEBgithub.com/shopperlabs/shopper/pull/511
• WEBgithub.com/shopperlabs/shopper/security/advisories/GHSA-h4mp-g9c6-xwph