Description
A vulnerability has been found in elecV2 elecV2P up to 3.8.3. Impacted is the function path.join of the file /store/:key. The manipulation of the argument URL leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-03-28
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Path Traversal
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the path.join function used to process the :key argument of the /store endpoint. An attacker can manipulate the URL to include path traversal sequences, allowing the application to read or write files outside the intended directory. This bypasses the intended confinement of user‑supplied data and can lead to disclosure of sensitive files or modification of critical resources, as dictated by CWE‑22.

Affected Systems

This issue affects the elecV2 elecV2P project, specifically all releases up to and including version 3.8.3. The path traversal occurs in the code that processes the :key parameter in the /store route of the application.

Risk and Exploitability

The severity is scored 6.9 on the CVSS scale, indicating moderate risk. No EPSS value is available, and the vulnerability is not currently listed in the CISA KEV catalog. The description states that the attack can be carried out remotely via a crafted URL, and the public release of the exploit confirms that remote exploitation is feasible. Without mitigation, an attacker with network access to the server could send a specially crafted request to the /store endpoint and traverse directories to read or modify arbitrary files.

Generated by OpenCVE AI on March 28, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade elecV2P to a version released after 3.8.3 that patches the path.join traversal bug.
  • Limit access to the /store/:key endpoint so that only authenticated or trusted users can invoke it.
  • Validate and sanitize the :key parameter to remove any '..' or other traversal sequences before passing it to path.join.
  • Monitor web server logs for anomalous requests targeting the /store endpoint and investigate suspicious activity.

Generated by OpenCVE AI on March 28, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Elecv2
Elecv2 elecv2p
Vendors & Products Elecv2
Elecv2 elecv2p

Sat, 28 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in elecV2 elecV2P up to 3.8.3. Impacted is the function path.join of the file /store/:key. The manipulation of the argument URL leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title elecV2 elecV2P :key path.join path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Elecv2 Elecv2p
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-30T15:55:15.514Z

Reserved: 2026-03-27T14:11:38.349Z

Link: CVE-2026-5013

cve-icon Vulnrichment

Updated: 2026-03-30T15:55:11.576Z

cve-icon NVD

Status : Deferred

Published: 2026-03-28T20:16:16.470

Modified: 2026-04-24T16:36:24.067

Link: CVE-2026-5013

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:58:52Z

Weaknesses