Four critical vulnerabilities affect Mobiliti e-mobi.hu charging stations worldwide, enabling unauthorized administrative control and denial-of-service attacks. CVE-2026-26051 allows station impersonation through unauthenticated WebSocket endpoints. CVE-2026-20882 enables brute-force and DoS attacks via unrestricted authentication attempts. CVE-2026-27764 permits session hijacking through predictable identifiers. CVE-2026-27777 exposes authentication identifiers publicly via mapping platforms. The vulnerabilities impact Energy and Transportation critical infrastructure sectors with CVSS scores ranging from 6.5 to 9.4. Mobiliti has not responded to CISA coordination efforts, leaving all versions affected without available patches.