Which versions of Elecv2P are affected by CVE-2026-5012?

Organizations using elecV2 elecV2P should be aware of notable risk from CVE-2026-5012, a OS command injection vulnerability rated CVSS 6.9.

Is there a public PoC exploit available for CVE-2026-5012?

Yes, a public proof-of-concept exploit is available for CVE-2026-5012. Prioritise patching immediately. EPSS: 1.0%.

Elecv2P CVE-2026-5012

Q: What is the CVSS score of CVE-2026-5012?

CVE-2026-5012 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 1.0%.

EUVD-2026-16943 MEDIUM

OS Command Injection (CWE-78)

2026-03-28 VulDB

Command Injection Elecv2P

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:11 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

PoC Detected

Mar 30, 2026 - 13:26 vuln.today

Public exploit code

EUVD ID Assigned

Mar 28, 2026 - 19:30 euvd

EUVD-2026-16943

Analysis Generated

Mar 28, 2026 - 19:30 vuln.today

CVE Published

Mar 28, 2026 - 19:15 nvd

MEDIUM 6.9

DescriptionCVE.org

A flaw has been found in elecV2 elecV2P up to 3.8.3. This issue affects the function pm2run of the file /rpc. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Operating system command injection in elecV2P up to version 3.8.3 allows unauthenticated remote attackers to execute arbitrary commands through the pm2run function in the /rpc endpoint. The vulnerability has a CVSS score of 6.9 with publicly available exploit code, though the vendor has not yet responded to early notification of the issue. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L) indicates network-accessible, unauthenticated exploitation with low attack complexity, and the E:P tag confirms publicly available exploit code exists. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker discovers or learns of an internet-exposed elecV2P instance running version 3.8.3 or earlier. The attacker sends an HTTP request to the /rpc endpoint targeting the pm2run function with a malicious payload containing shell metacharacters (e.g., using backticks, $(), pipes, or semicolons) to inject arbitrary commands. …
Remediation	Immediate action required: upgrade elecV2P to a version released after 3.8.3 that contains a fix for the pm2run command injection vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems running elecV2 elecV2P and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5012 vulnerability details – vuln.today

Back