Description
A vulnerability was detected in elecV2 elecV2P up to 3.8.3. This vulnerability affects the function runJSFile of the file /webhook of the component JSON Parser. Performing a manipulation of the argument rawcode results in code injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-03-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via code injection
Action: Immediate Patch
AI Analysis

Impact

A code injection flaw exists in the runJSFile function of the JSON webhook component. By crafting a malicious value for the rawcode argument, an attacker can cause the server to execute arbitrary JavaScript code. This directly permits remote code execution, jeopardizing the confidentiality, integrity, and availability of the affected system.

Affected Systems

ElecV2 and ElecV2P products up to version 3.8.3 are affected. Any installation that uses the /webhook endpoint and has not applied a newer release is vulnerable.

Risk and Exploitability

The CVSS score of 5.3 reflects medium severity, but the vulnerability is exploitable remotely over the network and the exploit code is now publicly available. No EPSS data is available and the issue is not listed in the CISA KEV catalog. The attack vector is inferred to be remote and network‑based, likely targeting the JSON webhook endpoint from external clients.

Generated by OpenCVE AI on March 28, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and install any official update released after version 3.8.3 from the ElecV2 project
  • If no update exists, restrict access to the /webhook endpoint to trusted IP addresses only
  • Consider disabling the JSON webhook feature if it is not required for your environment
  • Continuously monitor logs for unexpected JSON payloads or execution attempts

Generated by OpenCVE AI on March 28, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Elecv2
Elecv2 elecv2p
Vendors & Products Elecv2
Elecv2 elecv2p

Sat, 28 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in elecV2 elecV2P up to 3.8.3. This vulnerability affects the function runJSFile of the file /webhook of the component JSON Parser. Performing a manipulation of the argument rawcode results in code injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title elecV2 elecV2P JSON webhook runJSFile code injection
Weaknesses CWE-74
CWE-94
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Elecv2 Elecv2p
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-30T14:37:01.524Z

Reserved: 2026-03-27T14:11:31.996Z

Link: CVE-2026-5011

cve-icon Vulnrichment

Updated: 2026-03-30T14:36:58.348Z

cve-icon NVD

Status : Deferred

Published: 2026-03-28T19:16:57.027

Modified: 2026-04-24T16:36:24.067

Link: CVE-2026-5011

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:58:56Z

Weaknesses