Platform
other
Component
elecv2p
Fixed in
3.8.1
3.8.2
3.8.3
3.8.4
CVE-2026-5015 describes a cross-site scripting (XSS) vulnerability discovered in elecV2 elecV2P versions 3.8.0 through 3.8.3. This vulnerability allows attackers to inject malicious scripts by manipulating the filename argument within the /logs file. The potential impact includes data theft, session hijacking, and defacement. While a report was submitted to the project, no response has been received, leaving users vulnerable.
Successful exploitation of CVE-2026-5015 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to a variety of malicious outcomes, including the theft of sensitive information such as session cookies, authentication tokens, and personally identifiable information (PII). Attackers could also leverage this vulnerability to redirect users to phishing websites, deface the application, or even gain control of the underlying system if the application has elevated privileges. The remote nature of the exploit significantly broadens the attack surface, making it accessible to a wider range of threat actors.
CVE-2026-5015 has been publicly disclosed, increasing the likelihood of exploitation. The vulnerability's simplicity and remote accessibility make it an attractive target for opportunistic attackers. The lack of a response from the project suggests a potential abandonment of the software, further exacerbating the risk. No KEV listing or confirmed exploitation campaigns are currently known, but the public disclosure warrants immediate attention.
Exploit Status
EPSS
0.03% (11% percentile)
CISA SSVC
Due to the lack of a response from the project, immediate mitigation strategies are crucial. While upgrading to a patched version is the ideal solution, it's currently unavailable. As a temporary workaround, implement strict input validation and sanitization on all user-supplied data, particularly when handling filenames. Consider using a Web Application Firewall (WAF) with XSS protection rules to filter out malicious requests. Regularly monitor application logs for suspicious activity, such as unusual JavaScript execution patterns or attempts to access sensitive files. Without a patch, diligent monitoring and input validation are the primary defenses.
Update elecV2 elecV2P to a version later than 3.8.3. There is no specific version that fixes the problem, so updating to the latest available version is recommended.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5015 is a cross-site scripting (XSS) vulnerability affecting elecV2P versions 3.8.0 through 3.8.3, allowing attackers to inject malicious scripts via the /logs file.
You are affected if you are using elecV2P versions 3.8.0, 3.8.1, 3.8.2, or 3.8.3 and have not applied a patch (currently unavailable).
A patch is not yet available. Implement input validation, sanitization, and consider a WAF as temporary mitigations.
While no confirmed exploitation campaigns are known, the vulnerability is publicly disclosed, increasing the risk of exploitation.
As of now, there is no official advisory from the elecV2 project regarding this vulnerability.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.