CVE-2026-28213
Published: 26 February 2026
Summary
CVE-2026-28213 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Evershop Evershop. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-14 (Public Access Protections).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 requires secure management and protection of authenticators like password reset tokens to prevent their disclosure in API responses.
SI-15 mandates filtering sensitive information such as password reset tokens from information system outputs prior to transmission.
SC-14 enforces approved authorizations for access to publicly accessible information, preventing exposure of reset tokens via unauthenticated API endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Public-facing forgot-password API flaw directly enables remote exploitation (T1190) resulting in account takeover and abuse of valid accounts (T1078) via exposed reset tokens.
NVD Description
EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response returns the password reset token. This allows an attacker to take over the…
more
associated account. Version 2.1.1 fixes the issue.
Deeper analysisAI
CVE-2026-28213 is a critical vulnerability in the "Forgot Password" functionality of EverShop, a TypeScript-first eCommerce platform. Versions prior to 2.1.1 are affected, where the API endpoint, upon receiving a target email address, returns the generated password reset token in the response. This exposure violates information disclosure principles (CWE-200) and improper handling of sensitive information in password recovery (CWE-640), earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote, unauthenticated attackers with network access to exploit it with low complexity and no user interaction. By simply submitting a victim's email address to the forgot password API, an attacker obtains the reset token and can immediately use it to complete the password reset process, achieving full account takeover. This grants unauthorized access to the victim's account, potentially leading to data theft, fraudulent transactions, or further compromise within the eCommerce environment.
Mitigation is addressed in EverShop version 2.1.1, which fixes the issue by preventing the reset token from being returned in API responses. Security practitioners should upgrade to this version immediately. Additional details are available in the official GitHub security advisory (GHSA-cg73-g723-39jw) and the v2.1.1 release notes.
Details
- CWE(s)