免费扫描
MEDIUMCVE-2026-5011CVSS 6.3

elecV2 elecV2P JSON webhook runJSFile 代码注入

平台

nodejs

组件

elecv2p

修复版本

3.8.1

3.8.2

3.8.3

3.8.4

AI Confidence: highNVDEPSS 0.0%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

CVE-2026-5011 describes a code injection vulnerability discovered in elecV2 and elecV2P versions 3.8.0 to 3.8.3. This flaw resides within the runJSFile function of the /webhook endpoint, specifically within the JSON Parser component. An attacker can exploit this by manipulating the rawcode argument, leading to arbitrary code execution. A public exploit is now available, highlighting the urgency of addressing this issue.

影响与攻击场景翻译中…

The vulnerability allows a remote attacker to inject and execute arbitrary code on a system running elecV2 or elecV2P. This could lead to complete system compromise, including data theft, modification, or deletion. Given the public availability of an exploit, the potential for widespread exploitation is high. The /webhook endpoint suggests this vulnerability could be exploited through external integrations or API calls, expanding the attack surface. Successful exploitation could also allow for lateral movement within the network if the affected system has access to other sensitive resources.

利用背景翻译中…

This vulnerability is considered actively exploitable due to the public availability of a proof-of-concept. It was disclosed on 2026-03-28. The project maintainers have not yet responded to the issue report, increasing the risk. While not currently listed on CISA KEV, its public exploit status warrants close monitoring. The ease of exploitation suggests a potentially high probability of widespread attacks.

哪些人处于风险中翻译中…

Organizations utilizing elecV2 or elecV2P in production environments, particularly those with external integrations or API endpoints that interact with the /webhook functionality, are at significant risk. Systems with weak input validation or lacking WAF protection are especially vulnerable. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a compromise of one user's instance could potentially affect others.

检测步骤翻译中…

• nodejs: Monitor process execution for unusual JavaScript code being run. Use ps aux | grep node to identify processes running elecV2/elecV2P. Check for suspicious network connections originating from the affected processes using netstat -anp | grep elecV2.

ps aux | grep elecV2

• generic web: Examine access logs for requests to /webhook with unusual or excessively long rawcode parameters. Look for POST requests containing JavaScript code in the request body.

grep '/webhook' access.log | grep -i javascript

攻击时间线

  1. Disclosure

    disclosure

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

EPSS

0.05% (15% 百分位)

CISA SSVC

利用情况poc
可自动化no
技术影响partial

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R6.3MEDIUMAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredLow攻击所需的认证级别User InteractionNone是否需要受害者采取行动ScopeUnchanged超出受影响组件的影响范围ConfidentialityLow敏感数据泄露风险IntegrityLow数据未授权篡改风险AvailabilityLow服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
低 — 任何有效用户账户均可。
User Interaction
无 — 攻击自动且无声,受害者无需任何操作。
Scope
未改变 — 影响仅限于脆弱组件本身。
Confidentiality
低 — 可访问部分数据。
Integrity
低 — 攻击者可修改部分数据,影响有限。
Availability
低 — 部分或间歇性拒绝服务。

受影响的软件

组件elecv2p
供应商elecV2
影响范围修复版本
3.8.0 – 3.8.03.8.1
3.8.1 – 3.8.13.8.2
3.8.2 – 3.8.23.8.3
3.8.3 – 3.8.33.8.4

弱点分类 (CWE)

CWE-94CWE-74

时间线

  1. 已保留
  2. 发布日期
  3. 修改日期
  4. EPSS 更新日期
未修复 — 披露已57天

缓解措施和替代方案翻译中…

The primary mitigation is to upgrade to a patched version of elecV2 or elecV2P. As of this writing, no patched version has been released. Until a patch is available, consider implementing temporary workarounds. Input validation on the /webhook endpoint is crucial; strictly validate and sanitize the rawcode argument to prevent malicious code injection. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious payloads targeting the /webhook endpoint can provide an additional layer of defense. Monitor system logs for unusual activity related to the /webhook endpoint and the JSON Parser component.

修复方法

将 elecV2 elecV2P 更新到 3.8.3 之后的版本。这将修复 /webhook 文件中 runJSFile 函数的代码注入漏洞。

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2026-5011 — Code Injection in elecV2 elecV2P?

CVE-2026-5011 is a code injection vulnerability affecting elecV2 and elecV2P versions 3.8.0 through 3.8.3. It allows attackers to execute arbitrary code by manipulating the 'rawcode' argument in the /webhook endpoint.

Am I affected by CVE-2026-5011 in elecV2 elecV2P?

You are affected if you are using elecV2 or elecV2P versions 3.8.0, 3.8.1, 3.8.2, or 3.8.3. Immediate action is required.

How do I fix CVE-2026-5011 in elecV2 elecV2P?

Upgrade to a patched version of elecV2 or elecV2P. As no patch is currently available, implement input validation and WAF rules as temporary mitigations.

Is CVE-2026-5011 being actively exploited?

Yes, a public exploit exists, indicating active exploitation is likely and poses an immediate threat.

Where can I find the official elecV2 advisory for CVE-2026-5011?

The project maintainers have not yet responded to the issue report. Monitor the project's website and GitHub repository for updates.

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE