CVE-2026-5012
Remote OS Command Injection in elecV2 pm2run Function
Publication date: 2026-03-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elecv2 | elecv2p | to 3.8.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5012 is a remote code execution vulnerability in the elecV2P application, specifically in the pm2run method of its unauthenticated /rpc endpoint.
The vulnerability occurs because the pm2run method directly inserts user-supplied input into a shell command without any sanitization or validation, allowing attackers to inject arbitrary operating system commands.
An attacker can send a crafted request to the /rpc endpoint to execute commands on the server, such as reading sensitive files, without needing any authentication.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary OS commands on the server hosting elecV2P.
Potential impacts include full system compromise, unauthorized access to sensitive data, disruption of services, and the ability to install malware or create persistent backdoors.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted POST requests to the vulnerable `/rpc` endpoint of the elecV2P application to test for command injection.
A specific test command involves sending a JSON payload that invokes the `pm2run` method with a command such as `cat /etc/passwd` to check if the server executes it and returns the output.
Example curl command to test for the vulnerability:
- curl -X POST http://<target-ip>/rpc -H "Content-Type: application/json" -d '{"method": "pm2run", "params": ["cat /etc/passwd", {}]}'
If the response contains the contents of `/etc/passwd` or other command output, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the `/rpc` endpoint to trusted users or networks since it currently allows unauthenticated remote command execution.
If possible, disable or block the `pm2run` method or the entire `/rpc` endpoint until a patch or fix is available.
Monitor network traffic and logs for suspicious POST requests to `/rpc` that may indicate exploitation attempts.
Apply network-level protections such as firewall rules or Web Application Firewalls (WAF) to block unauthorized access to the vulnerable endpoint.
Contact the software maintainers or monitor official channels for patches or updates addressing this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-5012 allows unauthenticated remote attackers to execute arbitrary OS commands on the server hosting elecV2P, potentially leading to full system compromise.
Such a vulnerability can severely impact compliance with common standards and regulations like GDPR and HIPAA because it risks unauthorized access to sensitive data, system integrity, and availability.
If exploited, attackers could access or manipulate personal or protected health information, violating data protection requirements and potentially leading to data breaches.
Therefore, this vulnerability poses a significant compliance risk by undermining confidentiality, integrity, and availability controls mandated by these regulations.