CVE-2026-25858

CRITICAL 9.1

macrozheng mall <= 1.0.3 Unauthenticated Password Reset via OTP Disclosure

CVSS Score

9.1

EPSS Score

0.3%

EPSS Percentile

56th

macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number.

CWE	CWE-640
Vendor	macrozheng
Product	mall
Published	Feb 7, 2026
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for macrozheng mall

Be the first to know when new critical vulnerabilities affecting macrozheng mall are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

macrozheng / mall

0 ≤ 1.0.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/macrozheng/mall/issues/946 macrozheng.com: https://www.macrozheng.com/ vulncheck.com: https://www.vulncheck.com/advisories/macrozheng-mall-unauthenticated-password-reset-via-otp-disclosure

Credits

Lennon Chia