← back
CVE-2026-47741

Shopper: Race condition on Discount.usage_limit allows silent over-redemption

CVSS 5.9 MEDIUMEPSS 0.2%CWE-362
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's total_use counter. Under concurrent checkout pressure (Black Friday, flash sale, viral coupon), the global usage_limit was silently exceeded: orders were committed with the discount fully applied to price_amount while the counter blocked at usage_limit. The merchant had no signal that an over-redemption had occurred. This vulnerability is fixed in 2.8.0.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected products
shopperlabs · shopper

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/shopperlabs/shopper/issues/510https://github.com/shopperlabs/shopper/pull/511https://github.com/shopperlabs/shopper/security/advisories/GHSA-9rh9-hf3w-9fgg