CVE-2026-33015 EVerest has RemoteStop Bypass via BCB Toggle Session Restart

EVerest is an EV charging software stack. Prior to version 2026.02.0, even immediately after CSMS performs a RemoteStop StopTransaction, the EVSE can return to PrepareCharging via the EV's BCB toggle, allowing session restart. This breaks the irreversibility of remote stop and can bypass...

EUVD-2026-16254

EVerest is an EV charging software stack. Prior to version 2026.02.0, even immediately after CSMS performs a RemoteStop StopTransaction, the EVSE can return to PrepareCharging via the EV's BCB toggle, allowing session restart. This breaks the irreversibility of remote stop and can bypass...

Malicious code in spr-i18n-labels (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 59aab6cd08bb49192276e3b198d9caf42969db9f6793c54f4e1ca2b49c78fc04 The package spr-i18n-labels was found to contain malicious code. Source: ghsa-malware 01ee0be82b4212526afd2aaa40dc1ba0939646f6c94911550d3b648f8cd1d38...

CVE-2026-33014 EVerest has Delayed Authorization Response Bypasses Termination After RemoteStop

EVerest is an EV charging software stack. Prior to version 2026.02.0, during RemoteStop processing, a delayed authorization response restores authorized back to true, defeating the stoptransaction call condition on PowerOff events. As a result, the transaction can remain open even after a remote...

CVE-2026-33014 EVerest has Delayed Authorization Response Bypasses Termination After RemoteStop

EVerest is an EV charging software stack. Prior to version 2026.02.0, during RemoteStop processing, a delayed authorization response restores authorized back to true, defeating the stoptransaction call condition on PowerOff events. As a result, the transaction can remain open even after a remote...

CVE-2026-33014 EVerest has Delayed Authorization Response Bypasses Termination After RemoteStop

EVerest is an EV charging software stack. Prior to version 2026.02.0, during RemoteStop processing, a delayed authorization response restores authorized back to true, defeating the stoptransaction call condition on PowerOff events. As a result, the transaction can remain open even after a remote...

CVE-2026-33009 EVerest: MQTT Switch-Phases Command Data Race Causing Charger State Corruptio

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to C++ UB potential memory corruption. This is triggered by an MQTT everestexternal/nodered/connector/cmd/switchthreephaseswhilecharging message and results in Charger::sharedcontext / internalcontext...

CVE-2026-29044

EVerest is an EV charging software stack. Prior to version 2026.02.0, when WithdrawAuthorization is processed before the TransactionStarted event, AuthHandler determines transactionactive=false and only calls withdrawauthorizationcallback. This path ultimately calls Charger::deauthorize, but no...

CVE-2026-27828

EVerest is an EV charging software stack. Prior to version 2026.02.0, ISO15118chargerImpl::handlesessionsetup uses v2gctx after it has been freed when ISO15118 initialization fails e.g., no IPv6 link-local address. The EVSE process can be crashed remotely by an attacker with MQTT access who issue...

CVE-2026-27816 EVerest's ISO15118 update_energy_transfer_modes overflow can corrupt EVSE state

EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO15118chargerImpl::handleupdateenergytransfermodes copies a variable-length list into a fixed-size array of length 6 without bounds checking. With schema validation disabled by default, oversized MQTT Cmd payloads can...

EUVD-2026-16226

EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO15118chargerImpl::handleupdateenergytransfermodes copies a variable-length list into a fixed-size array of length 6 without bounds checking. With schema validation disabled by default, oversized MQTT Cmd payloads can...

CVE-2026-27815 EVerest: ISO15118 session_setup payment options overflow can corrupt EVSE state

EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO15118chargerImpl::handlesessionsetup copies a variable-length paymentoptions list into a fixed-size array of length 2 without bounds checking. With schema validation disabled by default, oversized MQTT Cmd payloads can...

CVE-2026-27815 EVerest: ISO15118 session_setup payment options overflow can corrupt EVSE state

EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO15118chargerImpl::handlesessionsetup copies a variable-length paymentoptions list into a fixed-size array of length 2 without bounds checking. With schema validation disabled by default, oversized MQTT Cmd payloads can...

CVE-2026-27815

CVE-2026-27815 affects EVerest EV charging stack. Prior to 2026.02.0, the function ISO15118_chargerImpl::handle_session_setup copies a variable-length payment_options list into a fixed-size array of length 2 without bounds checking. With default schema validation disabled, oversized MQTT Cmd payl...

CVE-2026-27814 EVerest EvseManager phase-switch path has unsynchronized shared-state access race condition

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race C++ UB triggered by an A 1-phase ↔ 3-phase switch request acswitchthreephaseswhilecharging during charging/waiting executes concurrently with the state machine loop. Version 2026.02.0 contains a patch...

EUVD-2026-16222

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race C++ UB triggered by an A 1-phase ↔ 3-phase switch request acswitchthreephaseswhilecharging during charging/waiting executes concurrently with the state machine loop. Version 2026.02.0 contains a patch...

CVE-2026-27813 EVerest has use-after-free in auth timeout timer via race condition

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to use-after-free. This is triggered by EV plug-in/unplug and RFID/RemoteStart/OCPP authorization events or delayed authorization response. Version 2026.2.0 contains a patch...

EUVD-2026-16220

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to use-after-free. This is triggered by EV plug-in/unplug and RFID/RemoteStart/OCPP authorization events or delayed authorization response. Version 2026.2.0 contains a patch...

CVE-2026-27813

CVE-2026-27813 affects the EVerest EV charging software stack. Versions prior to 2026.02.0 contain a data race that can lead to a use-after-free condition. The issue is triggered by EV plug-in/unplug events and RFID/RemoteStart/OCPP authorization events (or delayed authorization responses). A pat...

CVE-2026-27813 EVerest has use-after-free in auth timeout timer via race condition

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to use-after-free. This is triggered by EV plug-in/unplug and RFID/RemoteStart/OCPP authorization events or delayed authorization response. Version 2026.2.0 contains a patch...