CVE-2026-25858

macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/macrozheng/mall/issues/946	Not Applicable
https://www.macrozheng.com/	Permissions Required
https://www.vulncheck.com/advisories/macrozheng-mall-unauthenticated-password-reset-via-otp-disclosure	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:macrozheng:mall:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-07 22:16

Updated : 2026-03-05 20:31

NVD link : CVE-2026-25858

Mitre link : CVE-2026-25858

CVE.ORG link : CVE-2026-25858

JSON object : View

Products Affected

macrozheng

mall

CWE

CWE-640

Weak Password Recovery Mechanism for Forgotten Password

{"id": "CVE-2026-25858", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-07T22:16:02.753", "references": [{"url": "https://github.com/macrozheng/mall/issues/946", "tags": ["Not Applicable"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.macrozheng.com/", "tags": ["Permissions Required"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/macrozheng-mall-unauthenticated-password-reset-via-otp-disclosure", "tags": ["Third Party Advisory", "VDB Entry"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-640"}]}], "descriptions": [{"lang": "en", "value": "macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim\u2019s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number."}, {"lang": "es", "value": "macrozheng mall versi\u00f3n 1.0.3 y anteriores contiene una vulnerabilidad de autenticaci\u00f3n en el flujo de trabajo de restablecimiento de contrase\u00f1a de mall-portal que permite a un atacante no autenticado restablecer contrase\u00f1as de cuentas de usuario arbitrarias utilizando solo el n\u00famero de tel\u00e9fono de una v\u00edctima. El flujo de restablecimiento de contrase\u00f1a expone la contrase\u00f1a de un solo uso (OTP) directamente en la respuesta de la API y valida las solicitudes de restablecimiento de contrase\u00f1a \u00fanicamente comparando la OTP proporcionada con un valor almacenado por n\u00famero de tel\u00e9fono, sin verificar la identidad del usuario o la propiedad del n\u00famero de tel\u00e9fono. Esto permite la toma de control remota de la cuenta de cualquier usuario con un n\u00famero de tel\u00e9fono conocido o predecible."}], "lastModified": "2026-03-05T20:31:48.817", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:macrozheng:mall:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3962F288-B38B-436C-BE79-91257EF7680D", "versionEndIncluding": "1.0.3"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}