{"id":"CVE-2026-25858","details":"macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number.","modified":"2026-03-15T14:15:08.341954Z","published":"2026-02-07T22:16:02.753Z","references":[{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/macrozheng-mall-unauthenticated-password-reset-via-otp-disclosure"},{"type":"REPORT","url":"https://github.com/macrozheng/mall/issues/946"},{"type":"REPORT","url":"https://www.macrozheng.com/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/macrozheng/mall","events":[{"introduced":"0"},{"last_affected":"dd617ac3fe89c8083af56bee3364b1e812cda3ed"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.0.3"}]}}],"versions":["v1.0.0","v1.0.1","v1.0.2","v1.0.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25858.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}