Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (DIVD) · only source for this CVE.
CVSS VectorVendor: DIVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
The webserver running on port 8090 does not require authentication. This allows for sensitive information leakage such as configured passwords, or uploading files through different endpoints.
AnalysisAI
Missing authentication on the evbee DC-80 EV charging station exposes an administrative web server on TCP port 8090 that requires no login, allowing remote unauthenticated attackers to read sensitive data such as configured passwords and to upload arbitrary files via multiple endpoints. Reported through the DIVD CSIRT coordinated-disclosure program (DIVD-2026-00001), the flaw carries a CVSS 4.0 base score of 9.3 with a fully network-exploitable, no-privilege vector. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours: Immediately isolate all evbee DC-80 charging stations from internet-facing network segments and block inbound access to TCP port 8090 at the firewall perimeter; document all affected assets. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Command injection in the evbee DC-80 EV charger allows remote unauthenticated attackers to execute arbitrary operating-s
Arbitrary code execution in the EVBEE DC-80 EV charging station stems from a firmware update mechanism that ships withou
Arbitrary file write in the Evbee DC-80 EV charging station lets remote unauthenticated attackers overwrite any file on
Remote code execution in the evbee DC-80 EV charging station is possible through a command injection flaw in the network
Sensitive-data logging in the Evbee DC-80 DC EV charger writes secrets such as user passwords and charging card (RFID) U
Bluetooth authentication bypass in the Evbee DC-80 DC EV charging station lets an attacker within radio range issue priv
OS command injection in the EVBEE DC-80 electric-vehicle DC charger lets an actor who can send OCPP messages execute arb
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43328