Which versions of Mall are affected by CVE-2026-25858?

An unauthenticated attacker can reset any user account password in macrozheng mall v1.0.3 and earlier using only a phone number, enabling account takeover and unauthorized access to customer and…

How to fix or mitigate CVE-2026-25858?

Within 24 hours: Disable the password reset functionality or restrict it to authenticated users only; implement IP-based rate limiting on password reset endpoints; notify all users to monitor accounts for unauthorized access. Within 7 days: Deploy WAF rules to block suspicious password reset requests; conduct audit of password reset logs for exploitation; implement multi-factor authentication for account recovery. Within 30 days: Evaluate migration to patched version or alternative solutions; implement additional identity verification requirements beyond phone number for password resets; deploy SIEM alerts for account takeover patterns.

Mall CVE-2026-25858

Q: What is the CVSS score of CVE-2026-25858?

CVE-2026-25858 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.4%.

CRITICAL

Weak Password Recovery Mechanism for Forgotten Password (CWE-640)

2026-02-07 disclosure@vulncheck.com

Information Disclosure Mall

9.3

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

9.3 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Feb 07, 2026 - 22:16 nvd

CRITICAL 9.3

DescriptionCVE.org

macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number.

AnalysisAI

macrozheng mall e-commerce platform v1.0.3 has an authentication vulnerability in password reset enabling unauthorized account takeover.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain victim's telephone number

Delivery

Request password reset via API

Exploit

Extract OTP from response

Execution

Submit OTP with new password

Impact

Gain unauthorized account access