Skip to main content

Evershop CVE-2026-28213

CRITICAL
Information Exposure (CWE-200)
2026-02-26 security-advisories@github.com
Information Disclosure Evershop
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:56 vuln.today
CVE Published
Feb 26, 2026 - 23:16 nvd
CRITICAL 9.8

DescriptionGitHub Advisory

EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response returns the password reset token. This allows an attacker to take over the associated account. Version 2.1.1 fixes the issue.

AnalysisAI

Information disclosure in EverShop e-commerce platform before 2.1.1 through the Forgot Password functionality. API responses reveal sensitive information when invalid data is submitted.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Access Forgot Password endpoint
Delivery
Submit target email address
Exploit
Receive password reset token in API response
Execution
Use token to reset victim account password
Impact
Gain full account access
Sign in to reveal

Vulnerability AssessmentAI

Exploitation No special conditions — remote unauthenticated exploitation against default EverShop installations versions prior to 2.1.1 with Forgot Password endpoint exposed. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 9.8. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario Attacker sends crafted password reset requests to enumerate users or extract internal system information.
Remediation Update to EverShop 2.1.1. Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Disable the 'Forgot Password' feature if operationally feasible, or implement emergency WAF rules to restrict access to password reset endpoints. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-28213 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy