CVE-2026-47741
Shopper Admin Panel Discount Over-Redemption Vulnerability
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shopperlabs | shopper | to 2.8.0 (exc) |
| shopperlabs | shopper | From 2.8.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-47741 is a race condition vulnerability in the Shopper e-commerce platform's discount usage tracking system prior to version 2.8.0.
The issue occurs because the system creates an order before checking and incrementing the discount's total usage counter, allowing multiple users to redeem the same discount beyond its intended usage limit during high-traffic events like Black Friday.
This improper synchronization leads to silent over-redemption of discounts without any signal to the merchant that the usage limit has been exceeded.
Additionally, the per-user discount limit feature was ineffective because the relevant usage counter was never incremented, allowing customers to redeem the same discount multiple times even when restricted.
The vulnerability is fixed in version 2.8.0 by introducing atomic operations with database transactions and row-level locking to ensure exclusive access to the discount usage counter before order creation.
How can this vulnerability impact me? :
This vulnerability can lead to financial losses for merchants because discounts can be applied more times than intended without detection.
During high-traffic sales events, multiple customers can redeem the same discount beyond its usage limit, resulting in unintended over-redemption.
Merchants receive no signal or alert that the discount usage limit has been exceeded, making the issue silent and only detectable through manual reconciliation.
The per-user discount limit is also bypassed, allowing customers to use discounts multiple times even if restricted to one use per customer.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a race condition that causes silent over-redemption of discounts during concurrent checkouts, making it difficult to detect through normal network or system monitoring.
Detection primarily requires manual reconciliation of discount usage against the intended usage limits, as the system does not provide explicit signals or logs indicating over-redemption.
No specific commands or automated detection methods are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the shopper/cart package to version 2.8.0 or later, where the vulnerability has been fixed.
The fix includes atomic operations with database transactions, row-level locking, and compare-and-swap logic to prevent over-redemption of discounts.
No workarounds are available, so upgrading is essential to ensure proper enforcement of discount usage limits and per-user restrictions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability primarily impacts data integrity by allowing unauthorized modification of discount usage counters, leading to financial losses for merchants due to silent over-redemption of discounts.
There is no information in the provided context or resources indicating a direct effect on compliance with common standards and regulations such as GDPR or HIPAA.