A vulnerability classified as critical was found in ShopXO up to 6.7.1 . This vulnerability affects the function OrderClose/OrderSuccess/PayLogOrderClose/GoodsGiveIntegral of the file app/api/controller/Crontab.php of the component Scheduled Task Endpoint . Executing a manipulation can lead to authorization bypass. This vulnerability is handled as CVE-2026-12204 . The attack can be executed remotely. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did no