What is GHSA-h4mp-g9c6-xwph?

GHSA-h4mp-g9c6-xwph is a security advisory published by GitHub Security Advisories with Medium severity. Shopper: Missing authorization on Product admin Livewire sub-form components

Which CVE IDs does GHSA-h4mp-g9c6-xwph cover?

GHSA-h4mp-g9c6-xwph covers the following CVE IDs: CVE-2026-47742. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-h4mp-g9c6-xwph?

GHSA-h4mp-g9c6-xwph has a CVSS v3 base score of 6.5, published by GitHub Security Advisories.

Which products are affected by GHSA-h4mp-g9c6-xwph?

GHSA-h4mp-g9c6-xwph affects 1 product, including: composer/shopper/framework:\u003c 2.8.0.

GHSA-h4mp-g9c6-xwphMediumCVSS 6.5

Shopper: Missing authorization on Product admin Livewire sub-form components

Vendor

GitHub Security Advisories

Published

June 5, 2026

Last Modified

June 5, 2026

🔗 CVE IDs covered (1)

CVE-2026-47742 →

📋 Description

Impact

Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files) had no authorization on their store() method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media without holding edit_products.

The affected components accepted the product ID as a public Livewire property without #[Locked], so an attacker could also target an arbitrary product by tampering with the wire payload from the client.

Patches

Fixed in v2.8.0. Each sub-form store() now authorizes against edit_products and the product binding is locked.

Upgrade via:

composer require shopper/admin:^2.8

Workarounds

None. Upgrade to v2.8.0.

References

Pull request: https://github.com/shopperlabs/shopper/pull/511
CWE-862 Missing Authorization

🎯 Affected products1

composer/shopper/framework:< 2.8.0