Packagist (Composer) package

shopper/framework

pkg:composer/shopper/framework

Vulnerabilities (4)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-47743	hig	—	< 2.8.0	2.8.0	Jun 5, 2026	## Impact Three related defects on admin Livewire components allowed data tampering, sensitive data disclosure, and stored XSS: - IDOR via unlocked properties. Several Livewire components in the admin panel exposed Eloquent model identifiers as public properties without the
CVE-2026-47745	Med	6.5	< 2.8.0	2.8.0	May 29, 2026	Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions (enable, disable, edit, delete) that were rendered for any authenticated panel user without checking the corres
CVE-2026-47744	Cri	9.9	< 2.8.0	2.8.0	May 29, 2026	Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount() authorization. Any authenticated user could load the page an
CVE-2026-47742	Med	6.5	< 2.8.0	2.8.0	May 29, 2026	Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files) had no authorization on their store() method. Any authenticated panel user, regardless of role, could mutate any product's

CVE-2026-47743higJun 5, 2026
affected < 2.8.0fixed 2.8.0
## Impact Three related defects on admin Livewire components allowed data tampering, sensitive data disclosure, and stored XSS: - **IDOR via unlocked properties.** Several Livewire components in the admin panel exposed Eloquent model identifiers as public properties without the
CVE-2026-47745MedMay 29, 2026
affected < 2.8.0fixed 2.8.0
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions (enable, disable, edit, delete) that were rendered for any authenticated panel user without checking the corres
CVE-2026-47744CriMay 29, 2026
affected < 2.8.0fixed 2.8.0
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount() authorization. Any authenticated user could load the page an
CVE-2026-47742MedMay 29, 2026
affected < 2.8.0fixed 2.8.0
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files) had no authorization on their store() method. Any authenticated panel user, regardless of role, could mutate any product's