CVE-2026-47743

CVE-2026-47743 is a high-severity cross-site scripting (XSS) vulnerability in shopper/framework (composer), affecting versions < 2.8.0. It is fixed in 2.8.0.

Summary

Workarounds

None. Upgrade to v2.8.0.

Impact

Three related defects on admin Livewire components allowed data tampering, sensitive data disclosure, and stored XSS:

  • IDOR via unlocked properties. Several Livewire components in the admin panel exposed Eloquent model identifiers as public properties without the #[Locked] attribute. An authenticated user could rewrite the wire payload from the browser to target any record id, bypassing the implicit scoping enforced by the page routing.
  • Sensitive data echoed back through Hidden form field. Customers/Create::store() re-passed a Hidden _password form field straight into the create payload. The plaintext password was rendered into the HTML and transported through the Livewire snapshot in clear text, exposing credentials in the page DOM and in any logging that captures Livewire payloads.
  • Stored XSS on product barcode. The product barcode field was rendered through DNS1DFacade::getBarcodeHTML() with {!! !!}. An attacker with edit_products permission could persist malicious payload in the barcode field that would execute in the browser of any admin user viewing that product, enabling session theft and privileged-action chaining.

Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.

CVE-2026-47743 has a CVSS score of 8.7 (High). The vector is network-reachable, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.8.0); upgrading removes the vulnerable code path.

Affected versions

shopper/framework (< 2.8.0)

Security releases

shopper/framework → 2.8.0 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Fixed in v2.8.0:

  • All vulnerable Livewire model identifiers are now marked #[Locked].
  • Customers/Create no longer round-trips the password through a Hidden form field; the plaintext password is hashed at action boundary and never returned to the client.
  • The product barcode rendering now escapes the value before passing it to the barcode generator and the output is wrapped in an <svg> context that does not interpret event handlers.

Upgrade via:

composer require shopper/admin:^2.8

Frequently Asked Questions

  1. What is CVE-2026-47743? CVE-2026-47743 is a high-severity cross-site scripting (XSS) vulnerability in shopper/framework (composer), affecting versions < 2.8.0. It is fixed in 2.8.0. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
  2. How severe is CVE-2026-47743? CVE-2026-47743 has a CVSS score of 8.7 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of shopper/framework are affected by CVE-2026-47743? shopper/framework (composer) versions < 2.8.0 is affected.
  4. Is there a fix for CVE-2026-47743? Yes. CVE-2026-47743 is fixed in 2.8.0. Upgrade to this version or later.
  5. Is CVE-2026-47743 exploitable, and should I be worried? Whether CVE-2026-47743 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-47743 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-47743? Upgrade shopper/framework to 2.8.0 or later.

Other vulnerabilities in shopper/framework

CVE-2026-47743CVE-2026-47745CVE-2026-47742CVE-2026-47740

Stop the waste.
Protect your environment with Kodem.