CVE-2026-28213

Critical CVSS: 9.8

EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response returns the password reset token. This allows an attacker to take over the associated account. Version 2.1.1 fixes the issue.

Vendor

Evershop

Product

Evershop

CWE

CWE-200

Yayın Tarihi

2026-02-26 23:16:35

Güncelleme

2026-02-28 01:18:18

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-200 Evershop CRITICAL Evershop 2026

Referanslar

https://github.com/evershopcommerce/evershop/releases/tag/v2.1.1 https://github.com/evershopcommerce/evershop/security/advisories/GHSA-cg73-g723-39jw

Benzer Kayıtlar

Critical

CVE-2026-25993

EverShop is a TypeScript-first eCommerce platform. During category update and deletion event handling, the application e…

High

CVE-2025-67419

A Denial of Service (DoS) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaust the appl…

Medium

CVE-2025-67427

A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to…

High

CVE-2025-65844

EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via the /api/im…

Medium

CVE-2025-12919

A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graph…