Platform
nodejs
Component
elecv2p
Fixed in
3.8.1
3.8.2
3.8.3
3.8.4
CVE-2026-5011 describes a code injection vulnerability discovered in elecV2 and elecV2P versions 3.8.0 to 3.8.3. This flaw resides within the runJSFile function of the /webhook endpoint, specifically within the JSON Parser component. An attacker can exploit this by manipulating the rawcode argument, leading to arbitrary code execution. A public exploit is now available, highlighting the urgency of addressing this issue.
The vulnerability allows a remote attacker to inject and execute arbitrary code on a system running elecV2 or elecV2P. This could lead to complete system compromise, including data theft, modification, or deletion. Given the public availability of an exploit, the potential for widespread exploitation is high. The /webhook endpoint suggests this vulnerability could be exploited through external integrations or API calls, expanding the attack surface. Successful exploitation could also allow for lateral movement within the network if the affected system has access to other sensitive resources.
This vulnerability is considered actively exploitable due to the public availability of a proof-of-concept. It was disclosed on 2026-03-28. The project maintainers have not yet responded to the issue report, increasing the risk. While not currently listed on CISA KEV, its public exploit status warrants close monitoring. The ease of exploitation suggests a potentially high probability of widespread attacks.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to a patched version of elecV2 or elecV2P. As of this writing, no patched version has been released. Until a patch is available, consider implementing temporary workarounds. Input validation on the /webhook endpoint is crucial; strictly validate and sanitize the rawcode argument to prevent malicious code injection. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious payloads targeting the /webhook endpoint can provide an additional layer of defense. Monitor system logs for unusual activity related to the /webhook endpoint and the JSON Parser component.
Update elecV2 elecV2P to a version later than 3.8.3. This will fix the code injection vulnerability in the runJSFile function of the /webhook file.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5011 is a code injection vulnerability affecting elecV2 and elecV2P versions 3.8.0 through 3.8.3. It allows attackers to execute arbitrary code by manipulating the 'rawcode' argument in the /webhook endpoint.
You are affected if you are using elecV2 or elecV2P versions 3.8.0, 3.8.1, 3.8.2, or 3.8.3. Immediate action is required.
Upgrade to a patched version of elecV2 or elecV2P. As no patch is currently available, implement input validation and WAF rules as temporary mitigations.
Yes, a public exploit exists, indicating active exploitation is likely and poses an immediate threat.
The project maintainers have not yet responded to the issue report. Monitor the project's website and GitHub repository for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.