CVE-2026-47741

Name of the Vulnerable Software and Affected Versions Shopper versions prior to 2.8.0

Description A race condition exists in the CreateOrderFromCartAction::execute() function. The system creates an order row before verifying and incrementing the total use counter of a discount. Under high concurrent checkout pressure, such as flash sales or viral coupons, the global usage limit can be exceeded. This allows orders to be committed with discounts fully applied to the price amount even after the counter reaches the usage limit, without notifying the merchant of the over-redemption.

Recommendations Update to version 2.8.0.