CISA published CVE-2026-27772 on 2026-02-26 as a critical issue affecting EV Energy ev.energy. According to the advisory, WebSocket endpoints used for OCPP communication do not enforce proper authentication. That weakness can let an unauthenticated attacker connect with a known or discovered charging-station identifier, impersonate a legitimate charger, and send or receive OCPP traffic as if they were an [truncated]
CVE-2026-26290 describes a WebSocket session-binding weakness in EV Energy ev.energy where charging-station identifiers are used to associate sessions, but multiple endpoints can connect with the same session identifier. Because the identifiers are predictable, a later connection can displace the legitimate charging station and receive backend commands intended for that station. CISA’s advisory says this [truncated]
CVE-2026-25774 describes an information exposure issue in EV Energy / ev.energy where charging station authentication identifiers were publicly accessible through web-based mapping platforms. CISA published the advisory on 2026-02-26 and assigned a medium CVSS score of 6.5. The supplied source does not indicate exploitation, a KEV listing, or availability impact, but the exposure could still enable unauth [truncated]
CVE-2026-24445 is a high-severity issue in EV Energy / ev.energy where the WebSocket API does not restrict authentication request volume. According to CISA, that absence of rate limiting can let an attacker interfere with charger telemetry delivery or try repeated authentication attempts to gain unauthorized access. The advisory was initially published on 2026-02-26 and does not include a vendor patch or [truncated]
