Skip to main content

Elecv2P CVE-2026-5011

| EUVD-2026-16942 LOW
Code Injection (CWE-94)
2026-03-28 VulDB GHSA-vv3f-fcjm-crv5
Code Injection RCE Elecv2P
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Mar 30, 2026 - 13:26 vuln.today
Public exploit code
EUVD ID Assigned
Mar 28, 2026 - 19:00 euvd
EUVD-2026-16942
Analysis Generated
Mar 28, 2026 - 19:00 vuln.today
CVE Published
Mar 28, 2026 - 18:30 nvd
MEDIUM 5.3

DescriptionCVE.org

A vulnerability was detected in elecV2 elecV2P up to 3.8.3. This vulnerability affects the function runJSFile of the file /webhook of the component JSON Parser. Performing a manipulation of the argument rawcode results in code injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Remote code execution in elecV2P up to version 3.8.3 allows authenticated attackers to inject arbitrary code via manipulation of the rawcode argument in the runJSFile function of the /webhook JSON Parser endpoint. The vulnerability has publicly available exploit code and the vendor has not yet responded to early disclosure notifications, making this an active security concern for deployed instances.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment While the CVSS score of 6.3 (Medium) reflects moderate severity, multiple factors elevate real-world risk: the attack requires only low-privilege authentication (PR:L) with no user interaction (UI:N), the attack vector is network-accessible (AV:N) with low complexity (AC:L), public exploit code is available, and the vendor remains unresponsive to disclosure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user with valid credentials (such as an administrator or user with API access) could craft a malicious HTTP request to the /webhook endpoint, injecting arbitrary JavaScript code in the rawcode parameter of the runJSFile function. The injected code would execute server-side within the elecV2P application context, potentially allowing the attacker to read sensitive files, modify application state, exfiltrate data, or use the compromised instance as a pivot point for lateral movement. …
Remediation Upgrade to a patched version of elecV2P released after version 3.8.3 if available from the vendor. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 30 days: Identify affected systems running elecV2 elecV2P and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-5011 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy