CVE-2026-33014

The CVE-2026-33014 entry describes a vulnerability in the EVerest EV charging software stack where, before version 2026.02.0, a delayed authorization response during RemoteStop processing resets the authorized flag to true, bypassing the stop_transaction() condition on PowerOff events. This allow...

CVE-2026-33014 EVerest has Delayed Authorization Response Bypasses Termination After RemoteStop

EVerest is an EV charging software stack. Prior to version 2026.02.0, during RemoteStop processing, a delayed authorization response restores authorized back to true, defeating the stoptransaction call condition on PowerOff events. As a result, the transaction can remain open even after a remote...

CVE-2026-29044

EVerest EV charging software stack vulnerability CVE-2026-29044: before version 2026.02.0, processing WithdrawAuthorization prior to TransactionStarted can leave transaction_active=false and trigger deauthorize without performing StopTransaction in the Charging state, enabling authorization withd...

CVE-2026-29044

EVerest is an EV charging software stack. Prior to version 2026.02.0, when WithdrawAuthorization is processed before the TransactionStarted event, AuthHandler determines transactionactive=false and only calls withdrawauthorizationcallback. This path ultimately calls Charger::deauthorize, but no...

EUVD-2026-16230

EVerest is an EV charging software stack. Prior to version 2026.02.0, when WithdrawAuthorization is processed before the TransactionStarted event, AuthHandler determines transactionactive=false and only calls withdrawauthorizationcallback. This path ultimately calls Charger::deauthorize, but no...

CVE-2026-28230

SteVe is an open-source EV charging station management system. In versions up to and including 3.11.0, when a charger sends a StopTransaction message, SteVe looks up the transaction solely by transactionId a sequential integer starting from 1 without verifying that the requesting charger matches...

CVE-2026-28230 In SteVe, any authenticated charger can terminate any other charger's active transaction (missing ownership verification on StopTransaction)

SteVe is an open-source EV charging station management system. In versions up to and including 3.11.0, when a charger sends a StopTransaction message, SteVe looks up the transaction solely by transactionId a sequential integer starting from 1 without verifying that the requesting charger matches...

CVE-2026-28230 In SteVe, any authenticated charger can terminate any other charger's active transaction (missing ownership verification on StopTransaction)

SteVe is an open-source EV charging station management system. In versions up to and including 3.11.0, when a charger sends a StopTransaction message, SteVe looks up the transaction solely by transactionId a sequential integer starting from 1 without verifying that the requesting charger matches...

CVE-2026-28230 In SteVe, any authenticated charger can terminate any other charger's active transaction (missing ownership verification on StopTransaction)

SteVe is an open-source EV charging station management system. In versions up to and including 3.11.0, when a charger sends a StopTransaction message, SteVe looks up the transaction solely by transactionId a sequential integer starting from 1 without verifying that the requesting charger matches...

CVE-2023-49956

An issue was discovered in Dalmann OCPP.Core before 1.3.0 for OCPP Open Charge Point Protocol for electric vehicles. A StopTransaction message with any random transactionId terminates active transactions...