CVE-2026-47740 affects Shopper, a headless e-commerce admin panel, prior to version 2.8.0. The vulnerability allows authenticated low-privilege users to perform order management actions without proper permissions. Users with read-only access could cancel orders, mark them as paid or complete, capture payments, and modify shipments. The capturePayment action could trigger actual payment service provider captures, resulting in real funds movement. This represents a critical privilege escalation that could lead to financial fraud and order manipulation.