CVE-2026-47740

描述

## Impact Multiple Livewire components in the admin panel allowed an authenticated low-privilege user to mutate data without the required permission: - Order detail Filament actions (cancel, mark paid, mark complete, capture payment, archive, start processing) were callable with `read_orders` only and did not require `edit_orders`. `capturePayment` could trigger an actual PSP capture. - Order shipments table actions (mark delivered, edit tracking) were callable with `browse_orders` only. - Sub-form Livewire components for products (Edit, Inventory, Seo, Shipping, Files) had no authorization on `store()`, so any authenticated panel user could mutate product data without `edit_products`. - `Settings/Team/Index` had no `mount()` authorization at all — any authenticated user could create roles and delete other users. - `Settings/Team/RolePermission` gated its write actions on the read-only `view_users` permission, allowing privilege escalation via the RBAC system itself. - `PaymentMethods`, `Currencies`, `Carriers` table toggles and per-record actions had no per-action permission check. - `Customers/Create::store()` re-passed a Hidden `_password` form field into the create payload. Several public Eloquent model properties on Livewire components were not `#[Locked]`, allowing client-side ID tampering. A stored XSS surface existed on the product barcode field, which is rendered through `DNS1DFacade::getBarcodeHTML()` with `{!! !!}`. ## Patches Fixed in `v2.8.0`. Upgrade via: ```bash composer require shopper/admin:^2.8 shopper/cart:^2.8 shopper/core:^2.8 ``` ```shell php artisan migrate ``` ## Workarounds None. Upgrade to `v2.8.0`. ## Resources - Pull request: https://github.com/shopperlabs/shopper/pull/511 - CWE-862 Missing Authorization - CWE-285 Improper Authorization

如何修補 CVE-2026-47740

要修補 CVE-2026-47740,請將受影響套件升級到下列已修補版本。

• —升級至 2.8.0 或更新版本

CVE-2026-47740 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-47740 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(1)