Description
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's total_use counter. Under concurrent checkout pressure (Black Friday, flash sale, viral coupon), the global usage_limit was silently exceeded: orders were committed with the discount fully applied to price_amount while the counter blocked at usage_limit. The merchant had no signal that an over-redemption had occurred. This vulnerability is fixed in 2.8.0.
Published: 2026-05-29
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition in Shopper’s CreateOrderFromCartAction::execute allows the discount usage counter to be incremented after an order is committed, causing discount usage to exceed its intended global limit. The flaw does not provide code execution or direct manipulation of system resources; its primary impact is that merchants can receive more revenue reduction than authorized, leading to monetary loss and potential violations of coupon terms.

Affected Systems

Shopper Labs’ Shopper head‑less e‑commerce admin panel, versions released prior to 2.8.0. No specific sub‑versions are listed; any build before the patch may be affected.

Risk and Exploitability

The CVSS score is 5.9, indicating a moderate assessment of severity. There is no EPSS data available, and the vulnerability is not listed in CISA’s KEV catalog. An attacker would most likely trigger this condition by accelerating checkout requests under high‑traffic scenarios—such as flash sales or a coordinated coupon abuse strategy—to coerce the system into processing more orders than the usage limit permits. The vulnerability requires concurrent access to the same discount record and does not rely on external exploits beyond normal e‑commerce traffic patterns.

Generated by OpenCVE AI on May 29, 2026 at 20:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Shopper to version 2.8.0 or later to apply the concurrency fix.
  • Verify that discount usage is validated before order creation by reviewing the order creation workflow and conducting a test transaction using a discount with a set usage limit.
  • Enable logging or alerting for discount usage metrics so that any over‑redemption can be detected immediately.
  • Consider temporarily restricting bulk or rapid checkout requests during high‑traffic periods until the patch is deployed.

Generated by OpenCVE AI on May 29, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9rh9-hf3w-9fgg shopper/framework: Race condition on Discount.usage_limit allows silent over-redemption
History

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Shopperlabs
Shopperlabs shopper
Vendors & Products Shopperlabs
Shopperlabs shopper

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's total_use counter. Under concurrent checkout pressure (Black Friday, flash sale, viral coupon), the global usage_limit was silently exceeded: orders were committed with the discount fully applied to price_amount while the counter blocked at usage_limit. The merchant had no signal that an over-redemption had occurred. This vulnerability is fixed in 2.8.0.
Title Shopper: Race condition on Discount.usage_limit allows silent over-redemption
Weaknesses CWE-362
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Shopperlabs Shopper
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T19:18:41.685Z

Reserved: 2026-05-19T22:16:39.504Z

Link: CVE-2026-47741

cve-icon Vulnrichment

Updated: 2026-05-29T19:17:05.992Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T19:16:25.763

Modified: 2026-05-29T20:17:38.110

Link: CVE-2026-47741

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:18:06Z

Weaknesses
  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')