CVE-2026-47741
Deferred Deferred - Pending Action
Shopper Admin Panel Discount Over-Redemption Vulnerability

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: GitHub, Inc.

Description
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's total_use counter. Under concurrent checkout pressure (Black Friday, flash sale, viral coupon), the global usage_limit was silently exceeded: orders were committed with the discount fully applied to price_amount while the counter blocked at usage_limit. The merchant had no signal that an over-redemption had occurred. This vulnerability is fixed in 2.8.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-47741
EUVD
EUVD-2026-33409
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
shopperlabs shopper to 2.8.0 (exc)
shopperlabs shopper From 2.8.0 (inc)
shopperlabs shopper 2.8.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-47741 is a race condition vulnerability in the Shopper e-commerce platform's discount usage tracking system prior to version 2.8.0.

The issue occurs because the system creates an order before checking and incrementing the discount's total usage counter, allowing multiple users to redeem the same discount beyond its intended usage limit during high-traffic events like Black Friday.

This improper synchronization leads to silent over-redemption of discounts without any signal to the merchant that the usage limit has been exceeded.

Additionally, the per-user discount limit feature was ineffective because the relevant usage counter was never incremented, allowing customers to redeem the same discount multiple times even when restricted.

The vulnerability is fixed in version 2.8.0 by introducing atomic operations with database transactions and row-level locking to ensure exclusive access to the discount usage counter before order creation.

Impact Analysis

This vulnerability can lead to financial losses for merchants because discounts can be applied more times than intended without detection.

During high-traffic sales events, multiple customers can redeem the same discount beyond its usage limit, resulting in unintended over-redemption.

Merchants receive no signal or alert that the discount usage limit has been exceeded, making the issue silent and only detectable through manual reconciliation.

The per-user discount limit is also bypassed, allowing customers to use discounts multiple times even if restricted to one use per customer.

Detection Guidance

This vulnerability is a race condition that causes silent over-redemption of discounts during concurrent checkouts, making it difficult to detect through normal network or system monitoring.

Detection primarily requires manual reconciliation of discount usage against the intended usage limits, as the system does not provide explicit signals or logs indicating over-redemption.

No specific commands or automated detection methods are provided in the available information.

Mitigation Strategies

The primary mitigation step is to upgrade the shopper/cart package to version 2.8.0 or later, where the vulnerability has been fixed.

The fix includes atomic operations with database transactions, row-level locking, and compare-and-swap logic to prevent over-redemption of discounts.

No workarounds are available, so upgrading is essential to ensure proper enforcement of discount usage limits and per-user restrictions.

Compliance Impact

The vulnerability primarily impacts data integrity by allowing unauthorized modification of discount usage counters, leading to financial losses for merchants due to silent over-redemption of discounts.

There is no information in the provided context or resources indicating a direct effect on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47741. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart