Home / Vulnerability Intelligence / CVE-2026-22790

CVE-2026-22790 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 26, 2026

EVerest - Remote Code Execution

Published: March 26, 2026Updated: March 26, 2026

Overview

EVerest EV charging software stack < 2026.02.0 contains a buffer overflow caused by trusting 'len' after an assert in HomeplugMessage::setup_payload, letting remote attackers execute code via oversized SLAC payloads, exploit requires network access.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 5.3%(Probability of exploitation in next 30 days)

Impact

Remote attackers can execute arbitrary code remotely, potentially taking full control of the system.

Mitigation

Update to version 2026.02.0 or later.

References

https://github.com/EVerest/EVerest/security/advisories/GHSA-wh8w-7cfc-gq7m

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 26, 2026

🟠 CVE-2026-22790 - High (8.8) EVerest is an EV charging software stack. Prior to version 2026.02.0, `HomeplugMessage::setup_payload` trusts `len` after an `assert`; in release builds the check is removed, so oversized SLAC payloads are `memcpy`'d into a ~1497-byte stack buffer... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-22790/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-22790
Severity: High
CVSS Score: 8.8
Type: buffer_overflow
Status: new
EPSS: 5.3%
Social Posts: 1

CWE

CWE-121

CVSS Metrics

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

5.3%Probability of exploitation in the next 30 days