CVE-2026-28213 is a critical security vulnerability affecting EverShop, a TypeScript-first eCommerce platform. The vulnerability resides in the 'Forgot Password' functionality present in versions prior to 2.1.1. When an attacker submits a password reset request specifying a target email address, the API erroneously returns the password reset token in the response. This token is intended to be confidential and used only in a secure password reset flow. By exposing this token directly in the API response without authentication or user interaction, the vulnerability allows any remote attacker to retrieve the token and reset the password for the targeted account. This leads to a complete account takeover, compromising confidentiality, integrity, and availability of user accounts. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information) and CWE-640 (Weak Password Recovery Mechanism). The CVSS v3.1 base score is 9.8 (Critical), reflecting the ease of exploitation (network vector, no privileges or user interaction required) and the severe impact on affected systems. The flaw was publicly disclosed on February 26, 2026, and fixed in EverShop version 2.1.1. No known exploits in the wild have been reported yet, but the critical nature demands immediate remediation.

The impact of CVE-2026-28213 is severe for organizations using vulnerable versions of EverShop. Attackers can remotely and anonymously obtain password reset tokens, enabling them to take over user accounts without any user interaction or authentication. This compromises user confidentiality and allows attackers to manipulate account data, perform fraudulent transactions, or escalate privileges within the eCommerce platform. The breach of customer accounts can lead to financial losses, reputational damage, and regulatory penalties due to exposure of personal and payment information. Additionally, attackers gaining control over administrative or merchant accounts could disrupt service availability or inject malicious content. Given EverShop's role in managing eCommerce operations, the vulnerability poses a significant risk to business continuity and customer trust worldwide.

To mitigate CVE-2026-28213, organizations should immediately upgrade EverShop to version 2.1.1 or later, where the vulnerability is patched. Until the upgrade is applied, restrict access to the password reset API endpoint using network-level controls such as IP whitelisting or web application firewalls (WAF) with custom rules to detect and block abnormal password reset requests. Implement monitoring and alerting for unusual password reset activity, including multiple reset requests for the same account or from suspicious IP addresses. Review and enhance password reset workflows to ensure tokens are never exposed in API responses and are delivered securely via email or other out-of-band methods. Conduct thorough audits of user accounts for unauthorized access and enforce multi-factor authentication (MFA) to reduce the impact of compromised credentials. Finally, educate users about phishing and social engineering risks related to password resets.