Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-47744 -- CVSS 9.9 Vulnerability Briefing

CVE-2026-47744 | CVSS 9.9 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-47744 is a critical authorization bypass vulnerability in Shopper, a headless e-commerce admin panel, affecting versions prior to 2.8.0, specifically within the team settings functionality of the panel's role-based access control (RBAC) system.

Technical Detail

The vulnerability consists of two distinct authorization defects in the team settings module that, when combined or exploited independently, allow any authenticated panel user to fully compromise the RBAC system regardless of their assigned privilege level. An attacker with a low-privileged account can manipulate team settings requests to escalate privileges or reassign roles, effectively taking administrative control over the entire panel. The practical impact is complete privilege escalation, enabling an attacker to modify permissions, add or remove users, and control all administrative functions within the Shopper instance.

Exploitation Status

No known exploit code has been identified at this time. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit, meaning no public proof-of-concept or active exploitation has been confirmed as of June 05, 2026. However, the low attack complexity and high CVSS score of 9.9 make this a high-priority patching target regardless of current exploitation status.

Who Is Targeting This

Confirmed (ATTAX-verified): UNC3886, a threat actor of Chinese origin operating with nation-state motivation, has been associated with this vulnerability at high confidence. No additional reported or research-inferred threat actor attribution is available at this time. The association of a sophisticated nation-state actor with this vulnerability warrants elevated concern even in the absence of confirmed active exploitation.

What To Do

Upgrade Shopper to version 2.8.0 or later immediately, as this release contains the fixes for both authorization defects. Given the critical CVSS score of 9.9 and the confirmed association with a nation-state threat actor, patching should be treated as urgent and completed within 24 to 48 hours. If immediate patching is not feasible, restrict access to the Shopper admin panel to trusted IP ranges only and audit all existing team and role configurations for unauthorized modifications. Review authentication logs for anomalous access patterns targeting team settings endpoints, particularly any requests that modify role assignments or RBAC configurations from non-administrative accounts.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →