← Zuruck zu CVEs
CVE-2026-28213
CRITICAL9.8
Beschreibung
EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response returns the password reset token. This allows an attacker to take over the associated account. Version 2.1.1 fixes the issue.
CVE Details
CVSS v3.1 Bewertung9.8
SchweregradCRITICAL
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienNONE
BenutzerinteraktionNONE
Veroffentlicht2/26/2026
Zuletzt geandert2/28/2026
Quellenvd
Honeypot-Sichtungen0
Betroffene Produkte
evershop:evershop
Schwachen (CWE)
CWE-200CWE-640CWE-640
Referenzen
https://github.com/evershopcommerce/evershop/releases/tag/v2.1.1(security-advisories@github.com)
https://github.com/evershopcommerce/evershop/security/advisories/GHSA-cg73-g723-39jw(security-advisories@github.com)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.