{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22890", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2026-02-23T23:41:36.723Z", "datePublished": "2026-02-26T23:50:56.274Z", "dateUpdated": "2026-03-05T20:13:55.698Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ev2go.io", "vendor": "EV2GO", "versions": [{"status": "affected", "version": "All versions"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Charging station authentication identifiers are publicly accessible via web-based mapping platforms."}], "value": "Charging station authentication identifiers are publicly accessible via web-based mapping platforms."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-03-05T20:13:55.698Z"}, "references": [{"url": "https://ev2go.io/"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-04"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-04.json"}], "source": {"advisory": "ICSA-26-057-04", "discovery": "EXTERNAL"}, "title": "EV2GO ev2go.io Insufficiently Protected Credentials", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "EV2GO did not respond to CISA's request for coordination. Contact EV2GO \nusing their contact page here: <a target=\"_blank\" rel=\"nofollow\" href=\"https://ev2go.io/\">https://ev2go.io/</a> for more information.\n\n<br>"}], "value": "EV2GO did not respond to CISA's request for coordination. Contact EV2GO \nusing their contact page here: https://ev2go.io/ for more information."}], "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T20:37:13.392218Z", "id": "CVE-2026-22890", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T20:37:19.931Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22890", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-02T20:37:13.392218Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T20:37:16.286Z"}}], "cna": {"title": "EV2GO ev2go.io Insufficiently Protected Credentials", "source": {"advisory": "ICSA-26-057-04", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "EV2GO", "product": "ev2go.io", "versions": [{"status": "affected", "version": "All versions"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://ev2go.io/"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-04"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-04.json"}], "workarounds": [{"lang": "en", "value": "EV2GO did not respond to CISA's request for coordination. Contact EV2GO \nusing their contact page here: https://ev2go.io/ for more information.", "supportingMedia": [{"type": "text/html", "value": "EV2GO did not respond to CISA's request for coordination. Contact EV2GO \nusing their contact page here: <a target=\"_blank\" rel=\"nofollow\" href=\"https://ev2go.io/\">https://ev2go.io/</a> for more information.\n\n<br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Charging station authentication identifiers are publicly accessible via web-based mapping platforms.", "supportingMedia": [{"type": "text/html", "value": "Charging station authentication identifiers are publicly accessible via web-based mapping platforms.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-03-05T20:13:55.698Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22890", "state": "PUBLISHED", "dateUpdated": "2026-03-05T20:13:55.698Z", "dateReserved": "2026-02-23T23:41:36.723Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2026-02-26T23:50:56.274Z", "assignerShortName": "icscert"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ev2go:ev2go.io:*:*:*:*:*:*:*:*", "matchCriteriaId": "7D6AD607-0D02-460B-BB0F-0292101256B7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Charging station authentication identifiers are publicly accessible via web-based mapping platforms."}, {"lang": "es", "value": "Los identificadores de autenticaci\u00f3n de las estaciones de carga son accesibles p\u00fablicamente a trav\u00e9s de plataformas de mapeo basadas en la web."}], "id": "CVE-2026-22890", "lastModified": "2026-03-05T21:16:14.957", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2026-02-27T00:16:56.523", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Product"], "url": "https://ev2go.io/"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory"], "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-04.json"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-04"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ev2go.io", "source": "cna", "vendor": "EV2GO"}, "product": "ev2go.io", "vendor": "ev2go"}], "analysis": {"en": {"generated_at": "2026-04-17T14:10:06.042878+00:00", "value": {"mitigation_remediation": ["Verify whether EV2GO infrastructure is currently deployed and if charging station authentication identifiers are exposed through public mapping services.", "Secure or encrypt authentication identifiers to prevent their public exposure; implement access controls or opt\u2011in configurations that restrict mapping visibility.", "Contact EV2GO via their website for remediation guidance and to report the vulnerability, as the vendor has not released a formal patch or coordination response."], "summary": {"action": "Assess Impact", "impact": "Credential Disclosure and Potential Unauthorized Management Access"}, "threat_synthesis": {"affected_systems": "The affected product is the EV2GO online platform for electric vehicle charging stations (EV2GO:ev2go.io). No specific version information is provided, so any deployment that leaves authentication identifiers exposed in public mapping services is potentially vulnerable.", "description_and_impact": "The vulnerability exposes charging station authentication identifiers that are publicly accessible through web\u2011based mapping platforms. This sensitive data exposure (CWE\u2011522) may allow an attacker to obtain credentials that could grant access to the charging station management interface, creating a confidentiality breach and a pathway to compromise integrity or availability of the charging infrastructure. While the official description does not explicitly state that these identifiers enable direct access to the management interface, it is inferred that they could be used for such purposes given the nature of the credentials involved.", "risk_and_exploitability": "The CVSS score of 6.9 indicates moderate risk. The EPSS score is below 1%, suggesting a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, implying that no known active exploits are reported. Based on publicly available information, the likely attack vector is a network\u2011based data collection that requires only reconnaissance of publicly exposed credentials, with no authentication required to access the data."}}}}, "created": "2026-02-27T09:03:26.928028+00:00", "updated": "2026-04-17T14:15:21.812886+00:00", "vendors": ["ev2go", "ev2go$PRODUCT$ev2go.io"]}