CVE-2026-28213

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions EverShop versions prior to 2.1.1

Description EverShop, a TypeScript-first eCommerce platform, has an issue in the "Forgot Password" functionality. When a target email address is provided, the API response includes the password reset token. This allows an attacker to take over the associated account. The password reset token is intended to be a secret string used to verify the user's identity.

Recommendations Update to version 2.1.1 or later.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-640CWE-200

Related Identifiers

CVE-2026-28213

GHSA-CG73-G723-39JW

Affected Products

Evershop

CVE-2026-28213

Weakness Enumeration

Related Identifiers

Affected Products

References · 11