EUVD-2026-33407

Shopper: Authorization bypass and RBAC privilege escalation in team settings...

CVE-2026-47741

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's totaluse counter. Under concurrent checkout pressure Black Friday, flash sale, viral coupon, the global usagelimit was...

CVE-2026-47740

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel, mark paid, mark...

CVE-2026-47744

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount authorization. Any authenticated user could load the page and use its public...

CVE-2026-47741

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's totaluse counter. Under concurrent checkout pressure Black Friday, flash sale, viral coupon, the global usagelimit was...

CVE-2026-47740

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel, mark paid, mark...

CVE-2026-47742 Shopper: Missing authorization on Product admin Livewire sub-form components

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in the product editor Edit, Inventory, Seo, Shipping, Files had no authorization on their store method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO...

CVE-2026-47744

CVE-2026-47744 affects Shopper: a Headless e-commerce Admin Panel. Two authorization flaws in Settings/Team enable RBAC takeover prior to version 2.8.0. First, Settings/Team/Index had no mount() authorization, allowing any authenticated panel user to load the page and perform public actions to cr...

CVE-2026-47744 Shopper: Authorization bypass and RBAC privilege escalation in team settings

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount authorization. Any authenticated user could load the page and use its public...

shopper 安全漏洞

Shopper is an open-source e-commerce management backend developed by Shopper Labs. Versions of Shopper prior to 2.8.0 contained a security vulnerability. This vulnerability stemmed from the CreateOrderFromCartAction::execute function, which created order lines before checking and increasing the...

shopper 安全漏洞

Shopper is an open-source e-commerce management backend developed by Shopper Labs. Versions of Shopper prior to 2.8.0 contained security vulnerabilities. These vulnerabilities stemmed from the fact that multiple Filament operations listed in administrator order details and order shipping tables...

SUSE CVE-2025-3063

The Shopper Approved Reviews plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajaxcallbackupdatesaoption function in versions 2.0 to 2.1. This makes it possible for authenticated attackers, with...

AI Pulse: The First Agentic Cyber Week

In 2025, AI bots officially entered Cyber Week. Learn how agents shaped traffic and shopper intent — and why retailers must optimize for AI-driven commerce...

Holiday shoppers targeted as Amazon and FBI warn of surge in account takeover attacks

The FBI has issued a public service announcement warning about a surge in account takeover ATO fraud, and the timing lines up with a major alert Amazon has just sent to its 300 million customers about brand impersonation scams. How ATO fraud works Account takeover fraud is just what it says:...

EUVD-2000-0909

Malware in sbrugna...

EUVD-2025-9448

Malicious code in bioql PyPI...

Efficient Retail Video Annotation: a Robust Key Frame Generation Approach for Product and Customer Interaction Analysis

Accurate video annotation plays a vital role in modern retail applications, including customer behavior analysis, product interaction detection, and in-store activity recognition. However, conventional annotation methods heavily rely on time-consuming manual labeling by human annotators,...

CVE-2025-31534

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in shopperdotcom Shopper shopper allows SQL Injection.This issue affects Shopper: from n/a through = 3.2.5...

CVE-2025-3063 Shopper Approved Reviews 2.0 - 2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

The Shopper Approved Reviews plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajaxcallbackupdatesaoption function in versions 2.0 to 2.1. This makes it possible for authenticated attackers, with...

CVE-2025-3063

CVE-2025-3063 (Shopper Approved Reviews, WordPress) is a real vulnerability affecting the Shopper Approved Reviews plugin (versions 2.0–2.1) where a missing capability check in ajax_callback_update_sa_option() allows authenticated users with Subscriber+ privileges to modify arbitrary site options...