CVE-2026-47742
Shopper: Missing authorization on Product admin Livewire sub-form components
描述
## Impact Sub-form Livewire components used in the product editor (`Edit`, `Inventory`, `Seo`, `Shipping`, `Files`) had no authorization on their `store()` method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media without holding `edit_products`. The affected components accepted the product ID as a public Livewire property without `#[Locked]`, so an attacker could also target an arbitrary product by tampering with the wire payload from the client. ## Patches Fixed in `v2.8.0`. Each sub-form `store()` now authorizes against `edit_products` and the product binding is locked. Upgrade via: ```bash composer require shopper/admin:^2.8 ``` ## Workarounds None. Upgrade to `v2.8.0`. ## References - Pull request: https://github.com/shopperlabs/shopper/pull/511 - CWE-862 Missing Authorization
如何修補 CVE-2026-47742
要修補 CVE-2026-47742,請將受影響套件升級到下列已修補版本。
- —升級至 2.8.0 或更新版本
CVE-2026-47742 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-47742 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- from 0, < 2.8.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |