VYPR
Vendor

Everest

Products
4
CVEs
39
Across products
40
Status
Private

Products

4

Recent CVEs

39
View all 39 CVEs →
  • CVE-2026-27816CriMar 26, 2026
    risk 0.52cvss 9.1epss 0.00

    EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO15118_chargerImpl::handle_update_energy_transfer_modes copies a variable-length list into a fixed-size array of length 6 without bounds checking. With schema validation disabled by default, oversized…

  • CVE-2026-27815CriMar 26, 2026
    risk 0.52cvss 9.1epss 0.00

    EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO15118_chargerImpl::handle_session_setup copies a variable-length payment_options list into a fixed-size array of length 2 without bounds checking. With schema validation disabled by default, oversized…

  • CVE-2024-37310CriJul 10, 2024
    risk 0.52cvss 9.0epss 0.01

    EVerest is an EV charging software stack. An integer overflow in the "v2g_incoming_v2gtp" function in the v2g_server.cpp implementation can allow a remote attacker to overflow the process' heap. This vulnerability is fixed in 2024.3.1 and 2024.6.0.

  • CVE-2026-27828HigMar 26, 2026
    risk 0.42cvss 7.5epss 0.00

    EVerest is an EV charging software stack. Prior to version 2026.02.0, ISO15118_chargerImpl::handle_session_setup uses v2g_ctx after it has been freed when ISO15118 initialization fails (e.g., no IPv6 link-local address). The EVSE process can be crashed remotely by an attacker…

  • CVE-2025-8871MedNov 5, 2025
    risk 0.36cvss 5.6epss 0.00

    The Everest Forms (Pro) plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input in the mime_content_type() function. This makes it possible for unauthenticated attackers to inject a PHP Object.…

  • CVE-2025-3421MedApr 11, 2025
    risk 0.33cvss 6.1epss 0.00

    The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'form_id' parameter in all versions up to, and including, 3.1.1 due to insufficient input sanitization…

  • CVE-2026-29044MedMar 26, 2026
    risk 0.26cvss 5.0epss 0.00

    EVerest is an EV charging software stack. Prior to version 2026.02.0, when WithdrawAuthorization is processed before the TransactionStarted event, AuthHandler determines `transaction_active=false` and only calls `withdraw_authorization_callback`. This path ultimately calls…

  • CVE-2026-27814MedMar 26, 2026
    risk 0.20cvss 4.2epss 0.00

    EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race (C++ UB) triggered by an A 1-phase ↔ 3-phase switch request (`ac_switch_three_phases_while_charging`) during charging/waiting executes concurrently with the state machine loop. Version…

  • CVE-2025-59399LowSep 15, 2025
    risk 0.13cvss 3.1epss 0.00

    libocpp before 0.28.0 allows a denial of service (EVerest crash) because a secondary exception is thrown during error message generation.

  • CVE-2025-59398LowSep 15, 2025
    risk 0.13cvss 3.1epss 0.00

    The OCPP implementation in libocpp before 0.26.2 allows a denial of service (EVerest crash) via JSON input larger than 255 characters, because a CiString<255> object is created with StringTooLarge set to Throw.

  • CVE-2026-33015Mar 26, 2026
    risk 0.00cvss epss 0.00

    EVerest is an EV charging software stack. Prior to version 2026.02.0, even immediately after CSMS performs a RemoteStop (StopTransaction), the EVSE can return to `PrepareCharging` via the EV's BCB toggle, allowing session restart. This breaks the irreversibility of remote stop…

  • CVE-2026-33014Mar 26, 2026
    risk 0.00cvss epss 0.00

    EVerest is an EV charging software stack. Prior to version 2026.02.0, during RemoteStop processing, a delayed authorization response restores `authorized` back to true, defeating the `stop_transaction()` call condition on PowerOff events. As a result, the transaction can remain…

  • CVE-2026-33009Mar 26, 2026
    risk 0.00cvss epss 0.00

    EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to C++ UB (potential memory corruption). This is triggered by an MQTT `everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging` message and results in…

  • CVE-2026-27813Mar 26, 2026
    risk 0.00cvss epss 0.00

    EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to use-after-free. This is triggered by EV plug-in/unplug and RFID/RemoteStart/OCPP authorization events (or delayed authorization response). Version 2026.2.0 contains a patch.

  • CVE-2026-26074Mar 26, 2026
    risk 0.00cvss epss 0.00

    EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to possible `std::map<std::queue>` corruption. The trigger is CSMS GetLog/UpdateFirmware request (network) with an EVSE fault event (physical). This results in TSAN reports concurrent…

  • CVE-2026-26073Mar 26, 2026
    risk 0.00cvss epss 0.00

    EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to possible `std::queue`/`std::deque` corruption. The trigger is powermeter public key update and EV session/error events (while OCPP not started). This results in a TSAN data race…

  • CVE-2026-26072Mar 26, 2026
    risk 0.00cvss epss 0.00

    EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::map<std::optional>` concurrent access (container/optional corruption possible). The trigger is EV SoC update with powermeter periodic update and unplugging/SessionFinished…

  • CVE-2026-26071Mar 26, 2026
    risk 0.00cvss epss 0.00

    EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::string` concurrent access. with heap-use-after-free possible. This is triggered by EVCCID update (EV/ISO15118) and OCPP session/authorization events. Version 2026.02.0…

  • CVE-2026-26070Mar 26, 2026
    risk 0.00cvss epss 0.00

    EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::map<std::optional>` concurrent access (container/optional corruption possible). The trigger is an EV SoC update with powermeter periodic update and unplugging/SessionFinished…

  • CVE-2026-26008Mar 26, 2026
    risk 0.00cvss epss 0.00

    EVerest is an EV charging software stack. Versions prior to 2026.02.0 have an out-of-bounds access (std::vector) that leads to possible remote crash/memory corruption. This is because the CSMS sends UpdateAllowedEnergyTransferModes over the network. Version 2026.2.0 contains a…