CVE-2026-47741: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in shopperlabs shopper
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's total_use counter. Under concurrent checkout pressure (Black Friday, flash sale, viral coupon), the global usage_limit was silently exceeded: orders were committed with the discount fully applied to price_amount while the counter blocked at usage_limit. The merchant had no signal that an over-redemption had occurred. This vulnerability is fixed in 2.8.0.
AI Analysis
Technical Summary
Shopperlabs' shopper product versions before 2.8.0 contain a race condition (CWE-362) in the CreateOrderFromCartAction::execute function. The function creates the order record before checking and incrementing the discount's total_use counter. Under high concurrency (e.g., flash sales), this leads to the discount usage_limit being exceeded without detection, allowing over-redemption of discounts. This flaw was addressed and fixed in version 2.8.0.
Potential Impact
The vulnerability allows the discount usage limit to be silently exceeded during concurrent order processing, resulting in discounts being applied more times than intended. This can cause financial loss to merchants due to over-redemption of coupons or discounts. There is no impact on confidentiality or availability reported. No known exploits are currently in the wild.
Mitigation Recommendations
Upgrade to shopper version 2.8.0 or later, where this race condition vulnerability is fixed. Patch status is not explicitly stated but the vendor has fixed the issue in version 2.8.0, so applying this official fix is the recommended remediation.
CVE-2026-47741: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in shopperlabs shopper
Description
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's total_use counter. Under concurrent checkout pressure (Black Friday, flash sale, viral coupon), the global usage_limit was silently exceeded: orders were committed with the discount fully applied to price_amount while the counter blocked at usage_limit. The merchant had no signal that an over-redemption had occurred. This vulnerability is fixed in 2.8.0.
CVSS v3.1
Score 5.9medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Shopperlabs' shopper product versions before 2.8.0 contain a race condition (CWE-362) in the CreateOrderFromCartAction::execute function. The function creates the order record before checking and incrementing the discount's total_use counter. Under high concurrency (e.g., flash sales), this leads to the discount usage_limit being exceeded without detection, allowing over-redemption of discounts. This flaw was addressed and fixed in version 2.8.0.
Potential Impact
The vulnerability allows the discount usage limit to be silently exceeded during concurrent order processing, resulting in discounts being applied more times than intended. This can cause financial loss to merchants due to over-redemption of coupons or discounts. There is no impact on confidentiality or availability reported. No known exploits are currently in the wild.
Mitigation Recommendations
Upgrade to shopper version 2.8.0 or later, where this race condition vulnerability is fixed. Patch status is not explicitly stated but the vendor has fixed the issue in version 2.8.0, so applying this official fix is the recommended remediation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-19T22:16:39.504Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a19dc07e29bf47b50ff85db
Added to database: 5/29/2026, 6:33:43 PM
Last enriched: 5/29/2026, 7:03:41 PM
Last updated: 5/31/2026, 4:53:41 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.