Which versions of Elecv2P are affected by CVE-2026-5013?

Organizations using elecV2 elecV2P should be aware of moderate risk from CVE-2026-5013, a path traversal vulnerability rated CVSS 5.5. This could allow unauthorized file access.

Is there a public PoC exploit available for CVE-2026-5013?

Yes, a public proof-of-concept exploit is available for CVE-2026-5013. Prioritise patching immediately. EPSS: 0.0%.

Elecv2P CVE-2026-5013

Q: What is the CVSS score of CVE-2026-5013?

CVE-2026-5013 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-16945 MEDIUM

Path Traversal (CWE-22)

2026-03-28 VulDB

GHSA-h9hm-gx5c-xfc2

Path Traversal Elecv2P

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

PoC Detected

Mar 30, 2026 - 13:26 vuln.today

Public exploit code

EUVD ID Assigned

Mar 28, 2026 - 20:15 euvd

EUVD-2026-16945

Analysis Generated

Mar 28, 2026 - 20:15 vuln.today

CVE Published

Mar 28, 2026 - 20:00 nvd

MEDIUM 5.5

DescriptionCVE.org

A vulnerability has been found in elecV2 elecV2P up to 3.8.3. Impacted is the function path.join of the file /store/:key. The manipulation of the argument URL leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Path traversal in elecV2P up to version 3.8.3 allows unauthenticated remote attackers to read arbitrary files via manipulation of the URL argument in the /store/:key endpoint's path.join function. The vulnerability has a CVSS score of 5.5 with low confidentiality impact, publicly available exploit code exists, and the vendor has not responded to early notification through an issue report.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	While the CVSS v4.0 score of 5.5 reflects medium severity, the actual real-world risk is moderate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker sends a specially crafted HTTP request to the /store/:key endpoint with a URL parameter containing path traversal sequences such as ../../etc/passwd, allowing direct read access to sensitive files outside the intended /store directory. Since the attack requires no authentication and has low complexity, an attacker can automate file enumeration to discover sensitive application configuration, credentials, or system files. …
Remediation	Upgrade elecV2P to a version later than 3.8.3 if a patched release becomes available. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems running elecV2 elecV2P and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5013 vulnerability details – vuln.today

Back