CVE-2026-5016 - Vulnerability Details

- elecV2 elecV2P URL mock eAxios server-side request forgery

Description

A vulnerability was identified in elecV2 elecV2P up to 3.8.3. This affects the function eAxios of the file /mock of the component URL Handler. Such manipulation of the argument req leads to server-side request forgery. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-03-28

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An SSRF flaw exists in the eAxios handler of the elecV2P URL module. The flaw arises when the argument ‘req’ passed to the /mock endpoint is manipulated, allowing an attacker to force the server to initiate HTTP requests to arbitrary internal or external hosts. The vulnerability can be leveraged from anywhere on the internet, and a publicly available exploit exists. Successful exploitation would give an attacker the ability to read or potentially modify data on internal services, compromising confidentiality, integrity, and potentially availability of those services.

Affected Systems

The weakness affects the elecV2:elecV2P product, version 3.8.3 and earlier. Any deployment of these versions running the URL handler component is at risk.

Risk and Exploitability

With a CVSS score of 6.9 the risk is moderate, yet the absence of a public fix and the presence of an available exploit elevate the urgency. EPSS data is missing, and KEV does not list this issue, yet the remote nature of the attack means that containers or services exposed to the network could be compromised if the application is run without additional safeguards.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

elecV2

elecV2P

affected

Version	Status	Constraints
`3.8.0`	affected	—
`3.8.1`	affected	—
`3.8.2`	affected	—
`3.8.3`	affected	—

No data.

Vendor Product Confidence Versions

Elecv2

Elecv2p

100%

Version	Status	Scheme	Platform
`3.8.0`	affected	semver	—
`3.8.1`	affected	semver	—
`3.8.2`	affected	semver	—
`3.8.3`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade elecV2P to the latest available release that removes the SSRF flaw. If a new release is not yet available, the URL handler behind a network firewall and restrict outbound traffic to known, trusted endpoints. Apply an internal URL whitelist to block requests to non‑approved destinations. Monitor outbound request logs for unexpected target hosts and investigate any anomalies promptly.

Generated by OpenCVE AI on March 29, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00053.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/elecV2/elecV2P/
https://github.com/elecV2/elecV2P/issues/202
https://vuldb.com/submit/779181
https://vuldb.com/vuln/353901
https://vuldb.com/vuln/353901/cti

History

Mon, 30 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 30 Mar 2026 07:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Elecv2 Elecv2 elecv2p
Vendors & Products		Elecv2 Elecv2 elecv2p

Sun, 29 Mar 2026 02:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in elecV2 elecV2P up to 3.8.3. This affects the function eAxios of the file /mock of the component URL Handler. Such manipulation of the argument req leads to server-side request forgery. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
Title		elecV2 elecV2P URL mock eAxios server-side request forgery
Weaknesses		CWE-918
References		https://github.com/elecV2/elecV2P/ https://github.com/elecV2/elecV2P/issues/202 https://vuldb.com/submit/779181 https://vuldb.com/vuln/353901 https://vuldb.com/vuln/353901/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Elecv2 Elecv2p

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-28T21:45:11.240Z

Updated: 2026-03-30T14:32:46.143Z

Reserved: 2026-03-27T14:11:48.102Z

Link: CVE-2026-5016

Vulnrichment

Updated: 2026-03-30T14:32:43.349Z

NVD

Status : Deferred

Published: 2026-03-28T22:15:58.120

Modified: 2026-04-24T16:36:24.067

Link: CVE-2026-5016

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-30T06:58:50Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object