Password Reset Vulnerability in Macrozheng Mall by Macrozheng
CVE-2026-25858

9.3CRITICAL

Key Information:

Vendor

Macrozheng

Status
Mall
Vendor
CVE Published:
7 February 2026

What is CVE-2026-25858?

The Macrozheng Mall versions up to 1.0.3 have a serious authentication vulnerability in the password reset process. An attacker can exploit this flaw to reset a user’s password simply by knowing their telephone number. This occurs because the password reset workflow incorrectly exposes the one-time password (OTP) in the API response and does not adequately verify the user’s identity or phone number ownership. Consequently, an unauthorized individual may gain access to any user's account, potentially leading to data breaches and other malicious activities.

Affected Version(s)

mall 0 <= 1.0.3

References

https://github.com/macrozheng/mall/issues/946
issue-tracking
https://www.macrozheng.com/
product
https://www.vulncheck.com/advisories/macrozheng-mall-unau...
third-party-advisory

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lennon Chia
.