Unrated severityNVD Advisory· Published Feb 26, 2026· Updated Feb 27, 2026
EverShop Vulnerable to Arbitrary Customer Account Takeover via Exposure of Password Reset Token in API Response
CVE-2026-28213
Description
EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response returns the password reset token. This allows an attacker to take over the associated account. Version 2.1.1 fixes the issue.
Affected products
2<2.1.1+ 1 more
- (no CPE)range: <2.1.1
- (no CPE)range: < 2.1.1
Patches
Vulnerability mechanics
References
2- github.com/evershopcommerce/evershop/releases/tag/v2.1.1mitrex_refsource_MISC
- github.com/evershopcommerce/evershop/security/advisories/GHSA-cg73-g723-39jwmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.