{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26008", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T21:36:29.553Z", "datePublished": "2026-03-26T14:43:41.711Z", "dateUpdated": "2026-03-26T19:52:11.512Z"}, "containers": {"cna": {"title": "EVerest has OOB via EVSE ID Indexing Mismatch in OCPP 2.0.1 UpdateAllowedEnergyTransferModes", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/EVerest/EVerest/security/advisories/GHSA-vw95-6jj7-3fv9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-vw95-6jj7-3fv9"}], "affected": [{"vendor": "EVerest", "product": "everest-core", "versions": [{"version": "< 2026.02.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T14:43:41.711Z"}, "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Versions prior to 2026.02.0 have an out-of-bounds access (std::vector) that leads to possible remote crash/memory corruption. This is because the CSMS sends UpdateAllowedEnergyTransferModes over the network. Version 2026.2.0 contains a patch."}], "source": {"advisory": "GHSA-vw95-6jj7-3fv9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26008", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T19:38:51.739325Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:52:11.512Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26008", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T19:38:51.739325Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:50:52.965Z"}}], "cna": {"title": "EVerest has OOB via EVSE ID Indexing Mismatch in OCPP 2.0.1 UpdateAllowedEnergyTransferModes", "source": {"advisory": "GHSA-vw95-6jj7-3fv9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "EVerest", "product": "everest-core", "versions": [{"status": "affected", "version": "< 2026.02.0"}]}], "references": [{"url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-vw95-6jj7-3fv9", "name": "https://github.com/EVerest/EVerest/security/advisories/GHSA-vw95-6jj7-3fv9", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Versions prior to 2026.02.0 have an out-of-bounds access (std::vector) that leads to possible remote crash/memory corruption. This is because the CSMS sends UpdateAllowedEnergyTransferModes over the network. Version 2026.2.0 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T14:43:41.711Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26008", "state": "PUBLISHED", "dateUpdated": "2026-03-26T19:52:11.512Z", "dateReserved": "2026-02-09T21:36:29.553Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T14:43:41.711Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*", "matchCriteriaId": "EB167E67-6808-4F7B-9505-FFF0C02B288C", "versionEndExcluding": "2026.02.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Versions prior to 2026.02.0 have an out-of-bounds access (std::vector) that leads to possible remote crash/memory corruption. This is because the CSMS sends UpdateAllowedEnergyTransferModes over the network. Version 2026.2.0 contains a patch."}, {"lang": "es", "value": "EVerest es una pila de software de carga de VE. Las versiones anteriores a la 2026.02.0 tienen un acceso fuera de l\u00edmites (std::vector) que conduce a una posible ca\u00edda remota/corrupci\u00f3n de memoria. Esto se debe a que el CSMS env\u00eda UpdateAllowedEnergyTransferModes a trav\u00e9s de la red. La versi\u00f3n 2026.2.0 contiene un parche."}], "id": "CVE-2026-26008", "lastModified": "2026-03-31T13:45:52.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-26T15:16:32.510", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-vw95-6jj7-3fv9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.02.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "everest-core", "source": "cna", "vendor": "EVerest"}, "product": "everest-core", "vendor": "everest"}], "analysis": {"en": {"generated_at": "2026-03-31T15:38:32.874028+00:00", "value": {"mitigation_remediation": ["Update the EVerest everest\u2011core package to version 2026.02.0 or later to apply the fix for the out\u2011of\u2011bounds access.", "Verify that the installed package version reflects the update by checking the release documentation or package metadata.", "Monitor the system for unusual crashes or memory corruption, and examine logs for OCPP messages that may indicate exploitation attempts.", "If the update cannot be applied immediately, isolate the affected component from external OCPP traffic until a patch or mitigation is in place."], "summary": {"action": "Patch", "impact": "Out\u2011of\u2011bounds vector access causing potential memory corruption and crash"}, "threat_synthesis": {"affected_systems": "The vulnerability affects deployments of the EVerest everest\u2011core package on Linux running any release prior to 2026.02.0. Versions 2026.02.0 and newer contain the patch that resolves the indexing mismatch.", "description_and_impact": "EVerest, an EV charging software stack, has a flaw that permits reading beyond the bounds of a std::vector when the Charge Station Management System sends the UpdateAllowedEnergyTransferModes message in OCPP 2.0.1. This out\u2011of\u2011bounds access can corrupt memory or cause the application to crash, leading to loss of availability and potential integrity compromise of the charging control software.", "risk_and_exploitability": "The CVSS score of 7.5 signifies moderate\u2011to\u2011high severity, yet the EPSS score of less than 1% indicates a very low current likelihood of exploitation. The issue is not listed in CISA\u2019s KEV catalog. Based on the description, the likely attack vector is remote: an adversary with control over a Charge Station Management System can send the UpdateAllowedEnergyTransferModes command to trigger the flaw, inferring a network\u2011based exploitation route."}}}}, "created": "2026-03-27T08:34:06.843968+00:00", "updated": "2026-03-31T20:09:00.949809+00:00", "vendors": ["everest", "everest$PRODUCT$everest-core"]}