Vulnerability Details CVE-2026-28213
EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response returns the password reset token. This allows an attacker to take over the associated account. Version 2.1.1 fixes the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 13.2%
CVSS Severity
CVSS v3 Score 9.8
References
Products affected by CVE-2026-28213
-
cpe:2.3:a:evershop:evershop:1.0.0
-
cpe:2.3:a:evershop:evershop:1.1.0
-
cpe:2.3:a:evershop:evershop:1.2.0
-
cpe:2.3:a:evershop:evershop:1.2.1
-
cpe:2.3:a:evershop:evershop:1.2.2
-
cpe:2.3:a:evershop:evershop:2.0.0
-
cpe:2.3:a:evershop:evershop:2.0.1
-
cpe:2.3:a:evershop:evershop:2.1.0