CVE-2026-25858

Unknown Unknown - Not Provided

Authentication Bypass in macrozheng mall Password Reset Enables Account Takeover

Publication date: 2026-02-07

Last updated on: 2026-04-07

Assigner: VulnCheck

Description

macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-02-07

Last Modified

2026-04-07

Generated

2026-06-16

AI Q&A

2026-02-08

EPSS Evaluated

2026-06-14

NVD

CVE-2026-25858

EUVD

EUVD-2026-5713

Affected Vendors & Products

Vendor	Product	Version / Range
macrozheng	mall	to 1.0.3 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-640	The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

Attack-Flow Graph

Executive Summary

This vulnerability exists in macrozheng mall version 1.0.3 and earlier. It is an authentication flaw in the password reset workflow of the mall-portal. An unauthenticated attacker can reset any user's password by using only the victim's telephone number.

The issue arises because the password reset process exposes the one-time password (OTP) directly in the API response and validates the reset request solely by comparing the provided OTP to a stored value linked to the telephone number. There is no verification of the user's identity or ownership of the telephone number.

As a result, an attacker who knows or can guess a victim's telephone number can remotely take over that user's account by resetting their password.

Impact Analysis

This vulnerability can lead to remote account takeover by attackers without any authentication.

Attackers can reset passwords of any user if they know or guess the user's telephone number.
Compromised accounts may lead to unauthorized access to personal or sensitive information.
It can result in loss of user trust and potential financial or reputational damage.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Hi! I’m here to help you understand CVE-2026-25858. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-25858

Authentication Bypass in macrozheng mall Password Reset Enables Account Takeover

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart