Description
A vulnerability was determined in elecV2 elecV2P up to 3.8.3. The impacted element is an unknown function of the file /logs of the component Endpoint. This manipulation of the argument filename causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-03-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

A cross‑site scripting flaw exists in the Endpoint /logs component of elecV2P, triggered by manipulating the filename argument passed to the logs module. The vulnerability is characterized by CWE‑79 (Output Encoding) and CWE‑94 (Improper Control of Generation of Code by a Feature) weaknesses, enabling attackers to inject malicious script code that will execute within the browser of any user who views the affected log entry. This can lead to session hijacking, credential theft, defacement, or the execution of further client‑side attacks without requiring authentication.

Affected Systems

The flaw affects elecV2P versions up to and including 3.8.3. The specific component is the /logs endpoint, which may be exposed over the network to external users. Administrators operating these versions should verify their deployment and confirm whether the vulnerable code path is active.

Risk and Exploitability

The reported CVSS score of 5.3 indicates a moderate impact, and the EPSS score is not available. The vulnerability is not present in the CISA KEV catalog, but it has been publicly disclosed and could be exploited by sending a crafted request to the exposed endpoint. Because the attack vector is remote and does not require authentication, there is a realistic risk of widespread exploitation if the endpoint remains accessible to untrusted actors.

Generated by OpenCVE AI on March 28, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify your elecV2P deployment version and upgrade to a patched release if one is available on the project’s repository.
  • If no update is available, restrict external access to the /logs endpoint using firewall rules or reverse‑proxy configurations.
  • Implement input validation or sanitization for the filename parameter to prevent injection of script code.
  • Monitor web server logs for suspicious requests targeting the /logs endpoint.
  • Apply defensive browser security headers such as Content‑Security‑Policy to mitigate the impact of any XSS payload.

Generated by OpenCVE AI on March 28, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Elecv2
Elecv2 elecv2p
Vendors & Products Elecv2
Elecv2 elecv2p

Sat, 28 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in elecV2 elecV2P up to 3.8.3. The impacted element is an unknown function of the file /logs of the component Endpoint. This manipulation of the argument filename causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
Title elecV2 elecV2P Endpoint logs cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Elecv2 Elecv2p
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-01T14:16:08.468Z

Reserved: 2026-03-27T14:11:44.844Z

Link: CVE-2026-5015

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-03-28T21:17:00.633

Modified: 2026-04-24T16:36:24.067

Link: CVE-2026-5015

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:58:50Z

Weaknesses