CVE-2026-5013
Received Received - Intake
Remote Path Traversal in elecV2 elecV2P via path.join Function

Publication date: 2026-03-28

Last updated on: 2026-03-28

Assigner: VulDB

Description
A vulnerability has been found in elecV2 elecV2P up to 3.8.3. Impacted is the function path.join of the file /store/:key. The manipulation of the argument URL leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-28
Last Modified
2026-03-28
Generated
2026-06-16
AI Q&A
2026-03-28
EPSS Evaluated
2026-06-14
NVD
CVE-2026-5013
EUVD
EUVD-2026-16945
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
elecv2 elecv2p to 3.8.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include implementing input validation and sanitization on the key parameter to prevent directory traversal sequences from being processed.

Restrict access to the /store/:key endpoint, for example by adding authentication or network-level access controls.

Monitor and block suspicious requests containing URL-encoded traversal patterns.

If possible, update or patch the application once an official fix is released.

Executive Summary

CVE-2026-5013 is a path traversal vulnerability found in the elecV2P project, specifically in the unauthenticated HTTP GET endpoint `/store/:key`.

The vulnerability occurs because the endpoint takes the URL parameter `key` and directly passes it to the function `path.join` without any sanitization or validation. This allows an attacker to include URL-encoded directory traversal sequences (like `../`) in the `key` parameter.

By exploiting this, an attacker can escape the intended storage directory and access arbitrary files on the server, such as sensitive system files.

The attack can be carried out remotely without any authentication, making it more severe.

Impact Analysis

This vulnerability allows an attacker to read arbitrary files on the server hosting the elecV2P application.

An attacker can exploit this to access sensitive information such as configuration files, credentials, or system files like `/etc/passwd`.

Since the endpoint requires no authentication, any remote attacker can exploit this vulnerability, potentially leading to information disclosure and further attacks.

Detection Guidance

This vulnerability can be detected by sending crafted HTTP GET requests to the vulnerable endpoint /store/:key with URL-encoded directory traversal payloads and observing if arbitrary files are returned.

  • Use curl or similar tools to send requests with traversal sequences, for example: curl -v "http://<target>/store/..%2F..%2Fetc%2Fpasswd"
  • Monitor server responses for unexpected file contents such as the contents of /etc/passwd.
  • Check server logs for unusual requests to /store/:key with encoded traversal sequences.
Compliance Impact

The vulnerability allows unauthenticated remote attackers to perform path traversal and read arbitrary files on the server, potentially exposing sensitive data.

Such unauthorized access to sensitive files can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and protected health information.

Because the exploit can disclose confidential information without authentication, organizations using the affected software may face compliance risks related to data confidentiality and breach notification requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5013. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart