CVE-2026-25858

Name of the Vulnerable Software and Affected Versions macrozheng mall versions prior to 1.0.4

Description The software contains an authentication issue in the password reset process. An unauthenticated attacker can reset user account passwords using only a victim’s telephone number. The one-time password (OTP) is exposed in the API response and password reset requests are validated by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This allows for remote account takeover of any user with a known or guessable telephone number. The vulnerable API endpoint is the password reset flow within the mall-portal. The vulnerability exploits the lack of verification of user identity and telephone number ownership during password reset requests.

Recommendations Update macrozheng mall to version 1.0.4 or later.