CVE-2026-5012 - Vulnerability Details

- elecV2 elecV2P rpc pm2run os command injection

Description

A flaw has been found in elecV2 elecV2P up to 3.8.3. This issue affects the function pm2run of the file /rpc. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-03-28

Score: 6.9 Medium

EPSS: 2.2% Low

KEV: No

Impact:

Action:

Analysis

Impact

The pm2run function in the /rpc handler of elecV2P can execute arbitrary operating-system commands when supplied with manipulated input. An attacker able to reach the RPC endpoint can inject shell commands, potentially gaining full system compromise. The flaw exists in all releases up to 3.8.3. The vulnerability is specifically an OS command injection (CWE‑77/78) that compromises confidentiality, integrity, and availability.

Affected Systems

ElecV2 the elecV2P project is affected. The versions vulnerable are all releases published through 3.8.3. Earlier or later versions are not documented as impacted. The product is hosted on GitHub and actively maintained, but the maintainer has not yet issued a fix.

Risk and Exploitability

The CVSS rating is 6.9, indicating a medium severity impact. No EPSS score is published, and the issue is not in the CISA KEV catalog. The exploit code is publicly shared and the project has not yet released a patch, which increases the risk for anyone exposing the RPC endpoint over the network. Attackers can launch the injection remotely by sending crafted RPC requests, so systems that expose the endpoint to untrusted networks are at highest risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

elecV2

elecV2P

affected

Version	Status	Constraints
`3.8.0`	affected	—
`3.8.1`	affected	—
`3.8.2`	affected	—
`3.8.3`	affected	—

No data.

Vendor Product Confidence Versions

Elecv2

Elecv2p

100%

Version	Status	Scheme	Platform
`3.8.0`	affected	semver	—
`3.8.1`	affected	semver	—
`3.8.2`	affected	semver	—
`3.8.3`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade elecV2P to the latest available version that excludes the flawed pm2run implementation
Remove or disable the pm2run RPC endpoint if upgrading is not immediately feasible
Restrict network traffic to the RPC interface to trusted hosts only
Regularly monitor the elecV2P repository and security advisories for a patch release
Consider replacing the vulnerable component with an alternative if no fix is forthcoming

Generated by OpenCVE AI on March 28, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.02177.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/elecV2/elecV2P/
https://github.com/elecV2/elecV2P/issues/196
https://vuldb.com/submit/779174
https://vuldb.com/vuln/353897
https://vuldb.com/vuln/353897/cti

History

Mon, 30 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 30 Mar 2026 07:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Elecv2 Elecv2 elecv2p
Vendors & Products		Elecv2 Elecv2 elecv2p

Sat, 28 Mar 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in elecV2 elecV2P up to 3.8.3. This issue affects the function pm2run of the file /rpc. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title		elecV2 elecV2P rpc pm2run os command injection
Weaknesses		CWE-77 CWE-78
References		https://github.com/elecV2/elecV2P/ https://github.com/elecV2/elecV2P/issues/196 https://vuldb.com/submit/779174 https://vuldb.com/vuln/353897 https://vuldb.com/vuln/353897/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Elecv2 Elecv2p

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-28T19:15:11.947Z

Updated: 2026-03-30T14:53:04.134Z

Reserved: 2026-03-27T14:11:35.365Z

Link: CVE-2026-5012

Vulnrichment

Updated: 2026-03-30T13:14:28.928Z

NVD

Status : Deferred

Published: 2026-03-28T20:16:16.237

Modified: 2026-04-24T16:36:24.067

Link: CVE-2026-5012

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-30T06:58:53Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object