CVE-2026-3955
Remote Code Injection in elecV2P jsfile Endpoint (runJSFile
Publication date: 2026-03-11
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-3955 is a critical Remote Code Execution (RCE) vulnerability in elecV2P versions up to 3.8.3. It affects the runJSFile function in the jsfile endpoint, where user-supplied JavaScript code (via the jscontent parameter) is executed without proper sanitization. This happens because the function sJson uses new Function("return " + str) to parse input strings unsafely, enabling attackers to inject and execute arbitrary code remotely.'}, {'type': 'paragraph', 'content': 'Attackers can exploit this flaw by sending specially crafted requests to the /jsfile endpoint with the type parameter set to totest, causing the server to run the injected JavaScript code. This can lead to execution of system commands through Node.js internals, resulting in full server compromise.'}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary system commands on the server hosting elecV2P, leading to full server compromise.
- Attackers can run arbitrary JavaScript code and system commands via Node.js child process execution.
- Confidentiality, integrity, and availability of the affected system can be severely impacted.
- Potential consequences include data theft, unauthorized access, and further network penetration.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for exploitation attempts targeting the /jsfile HTTP POST endpoint with the parameter type=totest. Attackers send JavaScript code in the jscontent parameter that gets executed by the server.'}, {'type': 'paragraph', 'content': 'A practical detection method is to look for unusual POST requests to /jsfile containing the type=totest parameter and suspicious JavaScript code in jscontent, especially commands invoking Node.js child_process execution.'}, {'type': 'paragraph', 'content': 'Successful exploitation can be confirmed via DNS callbacks triggered by the executed commands, so monitoring DNS logs for unexpected outbound requests from the server IPs may help detect exploitation.'}, {'type': 'list_item', 'content': 'Use network monitoring tools or web server logs to filter POST requests to /jsfile with type=totest.'}, {'type': 'list_item', 'content': "Check logs for POST data containing suspicious JavaScript code, such as calls to process.mainModule.require('child_process').exec()."}, {'type': 'list_item', 'content': 'Monitor DNS logs for unexpected outbound queries that could indicate DNS callbacks from exploited servers.'}, {'type': 'list_item', 'content': "Example command to detect suspicious POST requests in web server logs (assuming Apache logs): grep '/jsfile' access.log | grep 'type=totest'"}, {'type': 'list_item', 'content': 'Example command to monitor DNS queries (using tcpdump): tcpdump -i any port 53 and host <server_ip>'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
As of the disclosure date, no known patches or countermeasures exist for this vulnerability in elecV2P versions up to 3.8.3.
Immediate mitigation steps include disabling or restricting access to the /jsfile endpoint, especially blocking requests with the type=totest parameter to prevent execution of arbitrary JavaScript code.
Implement network-level controls such as firewall rules or web application firewall (WAF) rules to block or monitor suspicious POST requests targeting this endpoint.
Consider isolating or removing the vulnerable elecV2P service from critical network segments to reduce exposure.
Replacement with alternative products or software not affected by this vulnerability is suggested since no official fix or response has been provided by the project.