← Volver a CVEs
CVE-2026-28213
CRITICAL9.8
Descripcion
EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response returns the password reset token. This allows an attacker to take over the associated account. Version 2.1.1 fixes the issue.
Detalles CVE
Puntuacion CVSS v3.19.8
SeveridadCRITICAL
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado2/26/2026
Ultima modificacion2/28/2026
Fuentenvd
Avistamientos honeypot0
Productos afectados
evershop:evershop
Debilidades (CWE)
CWE-200CWE-640CWE-640
Referencias
https://github.com/evershopcommerce/evershop/releases/tag/v2.1.1(security-advisories@github.com)
https://github.com/evershopcommerce/evershop/security/advisories/GHSA-cg73-g723-39jw(security-advisories@github.com)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.