What is the CVSS score of CVE-2026-26074?

CVE-2026-26074 has a CVSS 3.1 base score of 7.0 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H. EPSS exploitation probability: 0.0%.

Which versions of EVerest are affected by CVE-2026-26074?

CVE-2026-26074 affects EVerest-core EV charging software, allowing remote attackers to corrupt critical data structures and cause information disclosure or service disruption when specific charging…. A patch is available.

EVerest CVE-2026-26074

EUVD-2026-16218 HIGH

Race Condition (CWE-362)

2026-03-26 GitHub_M

Information Disclosure Race Condition

7.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:13 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

2026.02.0

EUVD ID Assigned

Mar 26, 2026 - 16:45 euvd

EUVD-2026-16218

Analysis Generated

Mar 26, 2026 - 16:45 vuln.today

CVE Published

Mar 26, 2026 - 16:19 nvd

HIGH 7.0

DescriptionNVD

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to possible std::map<std::queue> corruption. The trigger is CSMS GetLog/UpdateFirmware request (network) with an EVSE fault event (physical). This results in TSAN reports concurrent access (data race) to event_queue. Version 2026.2.0 contains a patch.

AnalysisAI

Concurrent access to an internal event queue in EVerest-core (EV charging software stack) enables remote attackers to corrupt critical data structures when CSMS GetLog or UpdateFirmware requests coincide with EVSE fault events, potentially causing information disclosure, data integrity issues, and high availability impact. The vulnerability affects all versions prior to 2026.02.0, for which a vendor patch is available. …

RemediationAI

Within 24 hours: Inventory all systems running EVerest-core and identify currently deployed versions (pre-2026.02.0 are vulnerable). Within 7 days: Develop and test upgrade path to EVerest-core version 2026.02.0 or later in non-production environment; assess operational impact of patching on charging network availability. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-26074 vulnerability details – vuln.today

Back