Home / Vulnerability Intelligence / CVE-2026-28213

CVE-2026-28213 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: February 26, 2026

EverShop - Authentication Bypass

Published: February 26, 2026Updated: February 26, 2026Remote Exploitable

Overview

EverShop < 2.1.1 contains an information disclosure vulnerability caused by the password reset token being returned in the API response of the Forgot Password functionality, letting attackers take over accounts, exploit requires specifying target email.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Attackers can take over user accounts by obtaining password reset tokens.

Mitigation

Upgrade to version 2.1.1 or later.

References

https://github.com/evershopcommerce/evershop/releases/tag/v2.1.1
https://github.com/evershopcommerce/evershop/security/advisories/GHSA-cg73-g723-39jw

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-28213
Severity: Critical
CVSS Score: 9.8
Type: broken_authentication
Status: new

CWE

CWE-200

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H