Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's totaluse counter. Under concurrent checkout pressure (Black Friday, flash sale, viral coupon), the global usagelimit was silently exceeded: orders were committed with the discount fully applied to priceamount while the counter blocked at usagelimit. The merchant had no signal that an over-redemption had occurred. This vulnerability is fixed in 2.8.0.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47741.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-362"
]
}