CVE-2026-28213: EverShop RCE — Critical — Patch Now

Patch now - CVE-2026-28213 is a critical account takeover vulnerability in EverShop (all versions before 2.1.1) that exposes password reset tokens in API responses, allowing any unauthenticated attacker to compromise any user or admin account. Upgrade to version 2.1.1 immediately to close this exploit.

Overview

A critical security vulnerability has been identified in the EverShop eCommerce platform. The flaw resides in the “Forgot Password” feature, where the system insecurely exposes sensitive data in its API response. This vulnerability allows an unauthenticated attacker to easily compromise user accounts.

Vulnerability Details

In affected versions of EverShop, when a user requests a password reset by submitting an email address, the platform’s API returns the actual password reset token directly in its response. This token is the cryptographic secret needed to complete a password change. By design, this token should only be delivered privately to the account owner, typically via a secure email link. By exposing it in the API response, the system allows anyone making the request to immediately see and use the token, bypassing all intended security controls.

Impact

The impact of this vulnerability is severe. An attacker can perform the following actions with minimal effort:

• Full Account Takeover: By obtaining the reset token, an attacker can change the password for any known user account, including administrative accounts.
• Privilege Escalation: Compromising an admin account can lead to complete system control, data theft, or website defacement.
• Data Breach: Attackers can access sensitive customer data, including personal information and order history.
• Financial Fraud: Control over merchant or customer accounts can be used to manipulate orders, issue refunds, or make unauthorized purchases.

This flaw received a CVSS score of 9.8 (CRITICAL) due to its low attack complexity, lack of required privileges, and high impact on confidentiality, integrity, and availability.

Remediation and Mitigation

The only complete solution is to immediately update the EverShop software.

1. Immediate Action: All users must upgrade to EverShop version 2.1.1 or later. This version fixes the vulnerability by removing the password reset token from the API response.
2. Upgrade Instructions:
   • Review the official EverShop release notes for version 2.1.1.
   • Follow standard update procedures for your deployment (e.g., using npm: npm update evershop).
   • Test the update in a staging environment before applying it to production.
3. Temporary Mitigation (If Update is Delayed): As a temporary and incomplete measure, consider disabling the “Forgot Password” functionality at the web server or firewall level until the upgrade can be performed. This will disrupt legitimate user access but prevents exploitation.
4. Post-Update: After applying the fix, it is recommended to audit administrator and user accounts for any signs of unauthorized access that may have occurred prior to the patch.

Always ensure you are running supported software versions and subscribe to security announcements for your platform dependencies.