These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-47745 is a broken access control vulnerability in Shopper, a Headless e-commerce Admin Panel. Prior to version 2.8.0, the admin tables for PaymentMethods, Currencies, and Carriers exposed inline toggles and per-record actions (enable, disable, edit, delete) that were rendered for any authenticated panel user without verifying the corresponding per-action permission. This allows a low-privilege au [truncated]
CVE-2026-47744 documents two authorization defects in Shopper, a headless e-commerce admin panel, that allow authenticated users to escalate privileges and compromise the entire RBAC system. The first defect affects Settings/Team/Index, which lacked mount() authorization checks. Any authenticated user could load this page and invoke its public actions to create new roles and delete other users, including [truncated]
CVE-2026-47742 is a medium-severity authorization bypass in Shopper, a Headless e-commerce Admin Panel. Prior to version 2.8.0, Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files) lacked authorization checks on their store() method. Any authenticated panel user, regardless of role, could modify any product's pricing, stock, SEO metadata, shipping dimensions, and [truncated]
A race condition in Shopper's order creation logic allowed discount codes to be redeemed beyond their configured usage limits. The vulnerability existed in CreateOrderFromCartAction::execute, which persisted the Order record before atomically checking and incrementing the discount's total_use counter. Under concurrent checkout load—such as during flash sales or viral coupon events—multiple requests could [truncated]
A privilege escalation vulnerability in Shopper, a headless e-commerce admin panel, allows authenticated low-privilege users to perform unauthorized order lifecycle mutations and trigger real payment captures. The issue stems from improper authorization checks on multiple Filament actions within the Order detail and Order shipments tables. Specifically, actions including cancel, mark paid, mark complete, [truncated]
