Description
A security vulnerability has been detected in elecV2P up to 3.8.3. Affected by this issue is the function runJSFile of the file source-code/elecV2P-master/webser/wbjs.js of the component jsfile Endpoint. Such manipulation leads to code injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-03-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

CVE-2026-3955 exposes a code injection flaw in the runJSFile function of elecV2P’s jsfile Endpoint. The vulnerability, identified as CWE-74 and CWE-94, allows a remote attacker to submit malicious JavaScript that the server executes, resulting in arbitrary code execution. This flaw threatens the confidentiality, integrity, and availability of the affected system if exploited.

Affected Systems

The issue affects the elecV2P project for any deployment running version 3.8.3 or earlier. The vulnerability resides in the source file source-code/elecV2P-master/webser/wbjs.js within the jsfile Endpoint component. No other products or versions are presently documented as affected.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, while an EPSS score below 1% suggests a low current likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. However, the exploit has been publicly disclosed and can be triggered remotely via crafted requests to the vulnerable endpoint. Until an official patch is issued, the risk remains active.

Generated by OpenCVE AI on March 17, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify if your deployment runs elecV2P version 3.8.3 or earlier
  • Check the elecV2P repository or project page for newer releases or a patch
  • If a patch is available, upgrade to the latest verified version
  • If no patch exists, restrict network access to the jsfile Endpoint or enforce strong authentication
  • Monitor application logs for anomalous JavaScript execution or unexpected use of runJSFile
  • Apply regular security updates to the underlying system and dependencies

Generated by OpenCVE AI on March 17, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Elecv2
Elecv2 elecv2p
Vendors & Products Elecv2
Elecv2 elecv2p

Wed, 11 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in elecV2P up to 3.8.3. Affected by this issue is the function runJSFile of the file source-code/elecV2P-master/webser/wbjs.js of the component jsfile Endpoint. Such manipulation leads to code injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title elecV2P jsfile Endpoint wbjs.js runJSFile code injection
Weaknesses CWE-74
CWE-94
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Elecv2 Elecv2p
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-12T13:57:25.008Z

Reserved: 2026-03-11T12:29:55.484Z

Link: CVE-2026-3955

cve-icon Vulnrichment

Updated: 2026-03-12T13:57:19.995Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T21:16:19.197

Modified: 2026-03-12T21:08:22.643

Link: CVE-2026-3955

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:37:09Z

Weaknesses