CVE-2026-23955

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-23955
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23955.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-23955
Aliases
  • GHSA-px57-jx97-hrff
Published
2026-01-21T19:25:12.104Z
Modified
2026-03-13T04:07:06.974473Z
Severity
  • 4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
EVerest vulnerable to concatenation of strings literal and integers
Details

EVerest is an EV charging software stack. Prior to version 2025.9.0, in several places, integer values are concatenated to literal strings when throwing errors. This results in pointers arithmetic instead of printing the integer value as expected, like most of interpreted languages. This can be used by malicious operator to read unintended memory regions, including the heap and the stack. Version 2025.9.0 fixes the issue.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23955.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1046"
    ]
}
References

Affected packages

Git / github.com/everest/everest-core

Affected ranges

Type
GIT
Repo
https://github.com/everest/everest-core
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
3beacf9bd5efe1109ff53f58a40f68582bfe99b3
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2025.9.0"
        }
    ]
}

Affected versions

2022.*
2022.12.0
2022.12.1
2023.*
2023.1.0
2023.10.0
2023.12.0
2023.2.0
2023.2.1
2023.3.0
2023.5.0
2023.6.0
2023.7.0
2023.8.0
2023.9.0
2023.9.1
2024.*
2024.1.0
2024.10.0
2024.11.0
2024.2.0
2024.3.0-rc1
2024.4.0
2024.5.0
2024.6.0-rc1
2024.6.0-rc2
2024.7.0
2024.7.1
2024.8.0
2024.9.0-rc1
2025.*
2025.1.0-rc1
2025.1.0-rc2
2025.2.0
2025.3.0
2025.4.0-rc1
2025.5.0
2025.6.0
2025.7.0
2025.7.0-rc1
2025.8.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23955.json"
vanir_signatures 
[
    {
        "source": "https://github.com/everest/everest-core/commit/3beacf9bd5efe1109ff53f58a40f68582bfe99b3",
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2026-23955-2f94828d",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "296119331210643435140494467430923056486",
                "20506104951866321960682041981156319326",
                "311595452720942138235191909965388625444",
                "22838778776198764978922933138584840790",
                "323258132419722979082553799862765548682"
            ]
        },
        "signature_type": "Line",
        "target": {
            "file": "modules/EVSE/EvseV2G/iso_server.cpp"
        }
    },
    {
        "source": "https://github.com/everest/everest-core/commit/3beacf9bd5efe1109ff53f58a40f68582bfe99b3",
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2026-23955-6362e428",
        "digest": {
            "length": 2170.0,
            "function_hash": "86176860166003917812351517793015906318"
        },
        "signature_type": "Function",
        "target": {
            "file": "modules/EVSE/EvseV2G/iso_server.cpp",
            "function": "handle_iso_session_setup"
        }
    }
]