PatchSiren cyber security CVE debrief
CVE-2026-12204 ShopXO CVE debrief
CVE-2026-12204 is a MEDIUM severity vulnerability in ShopXO up to 6.7.1. A vulnerability was determined in ShopXO up to 6.7.1. This vulnerability affects the function OrderClose/OrderSuccess/PayLogOrderClose/GoodsGiveIntegral of the file app/api/controller/Crontab.php of the component Scheduled Task Endpoint. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
- Vendor
- ShopXO
- Product
- ShopXO
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of ShopXO up to 6.7.1
Technical summary
CVE-2026-12204 affects the function OrderClose/OrderSuccess/PayLogOrderClose/GoodsGiveIntegral of the file app/api/controller/Crontab.php of the component Scheduled Task Endpoint in ShopXO up to 6.7.1, allowing for authorization bypass.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply patches or updates to ShopXO to version 6.7.1 or later
- Restrict access to the Scheduled Task Endpoint
- Monitor for suspicious activity on the Scheduled Task Endpoint
Evidence notes
Vendor: Unknown Vendor, Product: ShopXO, Version: up to 6.7.1, Component: Scheduled Task Endpoint, CWE: CWE-285, CWE-639
Official resources
CVE-2026-12204 was published on 2026-06-15T02:16:12.290Z and has not been modified.