Skip to main content

Everest Core EUVDEUVD-2026-16230

| CVE-2026-29044 MEDIUM
Incorrect Authorization (CWE-863)
2026-03-26 GitHub_M
5.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.0 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2026.02.0
EUVD ID Assigned
Mar 26, 2026 - 16:45 euvd
EUVD-2026-16230
Analysis Generated
Mar 26, 2026 - 16:45 vuln.today
CVE Published
Mar 26, 2026 - 16:37 nvd
MEDIUM 5.0

DescriptionGitHub Advisory

EVerest is an EV charging software stack. Prior to versions to 2026.02.0, when WithdrawAuthorization is processed before the TransactionStarted event, AuthHandler determines transaction_active=false and only calls withdraw_authorization_callback. This path ultimately calls Charger::deauthorize(), but no actual stop (StopTransaction) occurs in the Charging state. As a result, authorization withdrawal can be defeated by timing, allowing charging to continue. Version 2026.02.0 contains a patch.

AnalysisAI

EVerest EV charging software before version 2026.02.0 fails to properly stop charging transactions when authorization withdrawal occurs before the TransactionStarted event, allowing attackers with high privileges to bypass deauthorization through precise timing and maintain unauthorized charging sessions. The vulnerability stems from incomplete StopTransaction handling in the Charging state, affecting IoT and Everest Core deployments with no currently available patch.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment This vulnerability presents moderate real-world risk despite a CVSS score of 5.0 (Medium). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A high-privilege operator or compromised management system sends a WithdrawAuthorization message to a charging station running vulnerable EVerest-core. Due to race-condition timing, the message arrives before the TransactionStarted event is generated. …
Remediation Upgrade EVerest-core to version 2026.02.0 or later, which includes the upstream patch that ensures StopTransaction is executed regardless of transaction state when WithdrawAuthorization is processed (see GitHub Security Advisory GHSA-gx37-p775-qf5v at https://github.com/EVerest/EVerest/security/advisories/GHSA-gx37-p775-qf5v). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-22790 HIGH
8.8 Mar 26

Remote code execution vulnerability in EVerest electric vehicle charging software stack allows adjacent network attacker

CVE-2026-23995 HIGH
8.4 Mar 26

Stack-based buffer overflow in EVerest EV charging software allows unauthenticated local attackers to execute arbitrary

CVE-2026-22593 HIGH
8.4 Mar 26

Stack-based buffer overflow in EVerest EV charging software stack enables local code execution when processing certifica

CVE-2026-33009 HIGH
8.2 Mar 26

Concurrent access to shared memory in EVerest EV charging software (versions prior to 2026.02.0) enables remote attacker

CVE-2026-26008 HIGH
7.5 Mar 26

Out-of-bounds vector access in EVerest EV charging software (everest-core versions before 2026.02.0) enables remote unau

CVE-2026-26074 HIGH
7.0 Mar 26

Concurrent access to an internal event queue in EVerest-core (EV charging software stack) enables remote attackers to co

CVE-2026-26073 MEDIUM
5.9 Mar 26

EVerest charging software stack versions prior to 2026.02.0 suffer from a data race condition in queue/deque handling tr

CVE-2026-27828 MEDIUM
5.5 Mar 26

EVerest charging software stack versions prior to 2026.02.0 contain a use-after-free vulnerability in the ISO15118_charg

CVE-2026-27816 MEDIUM
5.5 Mar 26

EVerest-Core prior to version 2026.02.0 contains an out-of-bounds write vulnerability in the ISO15118_chargerImpl::handl

CVE-2026-27815 MEDIUM
5.5 Mar 26

Out-of-bounds memory writes in EVerest charging software stack versions prior to 2026.02.0 allow local attackers to corr

CVE-2026-27813 MEDIUM
5.3 Mar 26

EVerest charging software stack versions prior to 2026.02.0 contain a data race condition leading to use-after-free memo

CVE-2026-33015 MEDIUM
5.2 Mar 26

EVerest charging software stack versions prior to 2026.02.0 allow EV operators to bypass remote stop commands issued by

Share

EUVD-2026-16230 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy