Ev2go.Io
CVE-2026-25945
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
AnalysisAI
Ev2go.Io's WebSocket API lacks authentication rate limiting, enabling attackers to launch denial-of-service attacks that disrupt charger telemetry or conduct brute-force attacks to compromise user accounts. The vulnerability affects all users of the platform and currently has no available patch. With a CVSS score of 7.5 and low exploit prevalence, this represents a significant availability and authentication risk requiring immediate mitigation.
Technical ContextAI
Classified as CWE-307 (Improper Restriction of Excessive Authentication Attempts). Affects Ev2Go.Io. The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Missing WebSocket authentication vulnerability identical to CVE-2026-20781. Unauthenticated attackers can perform statio
Session hijacking in Ev2go.Io's WebSocket backend allows remote attackers to impersonate legitimate charging stations an
Ev2go.Io charging stations expose authentication credentials through publicly accessible web-based mapping platforms, al
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today