Home / Vulnerability Intelligence / CVE-2026-28213

CVE-2026-28213 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: February 28, 2026

EverShop - Authentication Bypass

Published: February 26, 2026Updated: February 28, 2026Remote Exploitable

Overview

EverShop < 2.1.1 contains an information disclosure vulnerability caused by the password reset token being returned in the API response of the Forgot Password functionality, letting attackers take over accounts, exploit requires specifying target email.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 4.4%(Probability of exploitation in next 30 days)

Impact

Attackers can take over user accounts by obtaining password reset tokens.

Mitigation

Upgrade to version 2.1.1 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 28, 2026

🔴 CVE-2026-28213 - Critical (9.8) EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response returns the password reset token. This allows an attac... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28213/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28213
Severity: Critical
CVSS Score: 9.8
Type: broken_authentication
Status: confirmed
EPSS: 4.4%
Social Posts: 1

CWE

CWE-200
CWE-640

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

4.4%Probability of exploitation in the next 30 days