CVE-2026-47743

描述

## Impact Three related defects on admin Livewire components allowed data tampering, sensitive data disclosure, and stored XSS: - **IDOR via unlocked properties.** Several Livewire components in the admin panel exposed Eloquent model identifiers as public properties without the `#[Locked]` attribute. An authenticated user could rewrite the wire payload from the browser to target any record id, bypassing the implicit scoping enforced by the page routing. - **Sensitive data echoed back through Hidden form field.** `Customers/Create::store()` re-passed a `Hidden` `_password` form field straight into the create payload. The plaintext password was rendered into the HTML and transported through the Livewire snapshot in clear text, exposing credentials in the page DOM and in any logging that captures Livewire payloads. - **Stored XSS on product barcode.** The product barcode field was rendered through `DNS1DFacade::getBarcodeHTML()` with `{!! !!}`. An attacker with `edit_products` permission could persist malicious payload in the barcode field that would execute in the browser of any admin user viewing that product, enabling session theft and privileged-action chaining. ## Patches Fixed in `v2.8.0`: - All vulnerable Livewire model identifiers are now marked `#[Locked]`. - `Customers/Create` no longer round-trips the password through a Hidden form field; the plaintext password is hashed at action boundary and never returned to the client. - The product barcode rendering now escapes the value before passing it to the barcode generator and the output is wrapped in an `<svg>` context that does not interpret event handlers. Upgrade via: ```bash composer require shopper/admin:^2.8 ``` ## Workarounds None. Upgrade to `v2.8.0`.

如何修補 CVE-2026-47743

要修補 CVE-2026-47743,請將受影響套件升級到下列已修補版本。

• —升級至 2.8.0 或更新版本

CVE-2026-47743 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-47743 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(1)