CVE-2026-28213CRITICAL 9.8EPSS p35.5%

CVE-2026-28213CVE-2026-28213

Description

EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response returns the password reset token. This allows an attacker to take over the associated account. Version 2.1.1 fixes the issue.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.45% probability of exploitation · percentile 35.5% · 2026-06-18T12:00:27Z
Published2026-02-26
Last modified2026-02-28

Underlying weaknesses· 2

CWE-200CWE-640

References

  1. https://github.com/evershopcommerce/evershop/releases/tag/v2.1.1
  2. https://github.com/evershopcommerce/evershop/security/advisories/GHSA-cg73-g723-39jw

2

TypeTargetConfidenceTier
WeaknessExposure of Sensitive Information to an Unauthorized Actorcwe-2000%live
WeaknessWeak Password Recovery Mechanism for Forgotten Passwordcwe-6400%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-25993
CVE
CVE-2025-3852
CVE
CVE-2025-28062
CVE
CVE-2026-26273
CVE
CVE-2026-2161
CVE
CVE-2026-8293
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.