CVE-2026-25858

CRITICAL

macrozheng mall <1.0.3 - Auth Bypass

Title source: llm

Description

macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number.

References (3)

[Issue Tracking] https://github.com/macrozheng/mall/issues/946

[Various Sources] https://www.macrozheng.com/

[Third Party Advisory] https://www.vulncheck.com/advisories/macrozheng-mall-unauthenticated-password-reset-via-otp-disclosure

Scores

CVSS v3 9.1

EPSS 0.0035

EPSS Percentile 57.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-640

Status published

Products (1)

macrozheng/mall < 1.0.3 (2 CPE variants)

Published Feb 07, 2026

Tracked Since Feb 18, 2026