CVE-2026-47745

描述

## Impact The admin tables for `PaymentMethods`, `Currencies` and `Carriers` exposed inline toggles and per-record actions (enable, disable, edit, delete) that were rendered for any authenticated panel user without checking the corresponding per-action permission. A low-privilege user could: - Disable every payment method on the store, blocking checkout. - Disable or alter the default currency, changing displayed prices and the exchange rate basis. - Disable carriers, breaking shipping rate computation at checkout. The impact is a full denial of checkout and pricing integrity loss, reachable by any authenticated user. ## Patches Fixed in `v2.8.0`. Each toggle and per-record action now requires its matching permission (`edit_payment_methods`, `edit_currencies`, `edit_carriers`). Upgrade via: ```bash composer require shopper/admin:^2.8 ``` ## Workarounds None. Upgrade to `v2.8.0`.

如何修補 CVE-2026-47745

要修補 CVE-2026-47745,請將受影響套件升級到下列已修補版本。

• —升級至 2.8.0 或更新版本

CVE-2026-47745 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-47745 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(1)

• from 0, < 2.8.0

CVSS 分數

參考連結(4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-47745
• PATCHgithub.com/shopperlabs/shopper
• WEBgithub.com/shopperlabs/shopper/pull/511
• WEBgithub.com/shopperlabs/shopper/security/advisories/GHSA-fxqw-97cc-7g5c