24h | 7d | 30d

CVE-2026-5011

Overview

  • elecV2
  • elecV2P
28 Mar 2026
Published
30 Mar 2026
Updated
CVSS v4.0
MEDIUM (5.3)
EPSS
0.23%
KEV

Description

A vulnerability was detected in elecV2 elecV2P up to 3.8.3. This vulnerability affects the function runJSFile of the file /webhook of the component JSON Parser. Performing a manipulation of the argument rawcode results in code injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Statistics

  • 1 Post
Last activity: 17 hours ago

Fediverse

Profile picture fallback
ZAST AI @zastai

ZAST.AI identified and verified seven vulnerabilities in `elecV2P <= 3.8.3`:

- `CVE-2026-3955`, `CVE-2026-5011`, `CVE-2026-5012`: remote code execution
- `CVE-2026-5013`, `CVE-2026-5014`: arbitrary file read via path traversal
- `CVE-2026-5015`: reflected XSS
- `CVE-2026-5016`: SSRF

`elecV2P` has about 1.4k GitHub stars.

The important lesson across all seven cases is consistent: request data was trusted in roles that define execution, filesystem access, browser output, or outbound network behavior.

This is why broad boundary review matters more than patching one route at a time.

Report:
blog.zast.ai/vulnerability%20r

  • 0
  • 0
  • 0
  • 17h ago

CVE-2026-5014

Overview

  • elecV2
  • elecV2P
28 Mar 2026
Published
30 Mar 2026
Updated
CVSS v4.0
MEDIUM (6.9)
EPSS
0.45%
KEV

Description

A vulnerability was found in elecV2 elecV2P up to 3.8.3. The affected element is the function path.join of the file /log/ of the component Wildcard Handler. The manipulation results in path traversal. The attack may be performed from remote. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

Statistics

  • 1 Post
Last activity: 17 hours ago

Fediverse

Profile picture fallback
ZAST AI @zastai

ZAST.AI identified and verified seven vulnerabilities in `elecV2P <= 3.8.3`:

- `CVE-2026-3955`, `CVE-2026-5011`, `CVE-2026-5012`: remote code execution
- `CVE-2026-5013`, `CVE-2026-5014`: arbitrary file read via path traversal
- `CVE-2026-5015`: reflected XSS
- `CVE-2026-5016`: SSRF

`elecV2P` has about 1.4k GitHub stars.

The important lesson across all seven cases is consistent: request data was trusted in roles that define execution, filesystem access, browser output, or outbound network behavior.

This is why broad boundary review matters more than patching one route at a time.

Report:
blog.zast.ai/vulnerability%20r

  • 0
  • 0
  • 0
  • 17h ago

CVE-2026-5012

Overview

  • elecV2
  • elecV2P
28 Mar 2026
Published
30 Mar 2026
Updated
CVSS v4.0
MEDIUM (6.9)
EPSS
1.38%
KEV

Description

A flaw has been found in elecV2 elecV2P up to 3.8.3. This issue affects the function pm2run of the file /rpc. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Statistics

  • 1 Post
Last activity: 17 hours ago

Fediverse

Profile picture fallback
ZAST AI @zastai

ZAST.AI identified and verified seven vulnerabilities in `elecV2P <= 3.8.3`:

- `CVE-2026-3955`, `CVE-2026-5011`, `CVE-2026-5012`: remote code execution
- `CVE-2026-5013`, `CVE-2026-5014`: arbitrary file read via path traversal
- `CVE-2026-5015`: reflected XSS
- `CVE-2026-5016`: SSRF

`elecV2P` has about 1.4k GitHub stars.

The important lesson across all seven cases is consistent: request data was trusted in roles that define execution, filesystem access, browser output, or outbound network behavior.

This is why broad boundary review matters more than patching one route at a time.

Report:
blog.zast.ai/vulnerability%20r

  • 0
  • 0
  • 0
  • 17h ago

CVE-2026-5013

Overview

  • elecV2
  • elecV2P
28 Mar 2026
Published
30 Mar 2026
Updated
CVSS v4.0
MEDIUM (6.9)
EPSS
0.59%
KEV

Description

A vulnerability has been found in elecV2 elecV2P up to 3.8.3. Impacted is the function path.join of the file /store/:key. The manipulation of the argument URL leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Statistics

  • 1 Post
Last activity: 17 hours ago

Fediverse

Profile picture fallback
ZAST AI @zastai

ZAST.AI identified and verified seven vulnerabilities in `elecV2P <= 3.8.3`:

- `CVE-2026-3955`, `CVE-2026-5011`, `CVE-2026-5012`: remote code execution
- `CVE-2026-5013`, `CVE-2026-5014`: arbitrary file read via path traversal
- `CVE-2026-5015`: reflected XSS
- `CVE-2026-5016`: SSRF

`elecV2P` has about 1.4k GitHub stars.

The important lesson across all seven cases is consistent: request data was trusted in roles that define execution, filesystem access, browser output, or outbound network behavior.

This is why broad boundary review matters more than patching one route at a time.

Report:
blog.zast.ai/vulnerability%20r

  • 0
  • 0
  • 0
  • 17h ago

CVE-2026-5015

Overview

  • elecV2
  • elecV2P
28 Mar 2026
Published
01 Apr 2026
Updated
CVSS v4.0
MEDIUM (5.3)
EPSS
0.26%
KEV

Description

A vulnerability was determined in elecV2 elecV2P up to 3.8.3. The impacted element is an unknown function of the file /logs of the component Endpoint. This manipulation of the argument filename causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

Statistics

  • 1 Post
Last activity: 17 hours ago

Fediverse

Profile picture fallback
ZAST AI @zastai

ZAST.AI identified and verified seven vulnerabilities in `elecV2P <= 3.8.3`:

- `CVE-2026-3955`, `CVE-2026-5011`, `CVE-2026-5012`: remote code execution
- `CVE-2026-5013`, `CVE-2026-5014`: arbitrary file read via path traversal
- `CVE-2026-5015`: reflected XSS
- `CVE-2026-5016`: SSRF

`elecV2P` has about 1.4k GitHub stars.

The important lesson across all seven cases is consistent: request data was trusted in roles that define execution, filesystem access, browser output, or outbound network behavior.

This is why broad boundary review matters more than patching one route at a time.

Report:
blog.zast.ai/vulnerability%20r

  • 0
  • 0
  • 0
  • 17h ago
Showing 61 to 65 of 65 CVEs