CVE-2026-25858

216.73.216.36

· Published 07/02/2026 22:16 · Modified 07/02/2026 22:16

Labels: CVE-2026-25858 2026-02-07 CVE-2026-25858 CWE-640 [email protected]

Essential information

Published: 07/02/2026 22:16
Modified: 07/02/2026 22:16
Author: —
Creator: —
CVSS: 9.3 CRITICAL (v3) 9.3 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
macrozheng / mall	`cpe:2.3:a:macrozheng:mall::::::::`