CVE-2026-5013
Remote Path Traversal in elecV2 elecV2P via path.join Function
Publication date: 2026-03-28
Last updated on: 2026-03-28
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elecv2 | elecv2p | to 3.8.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing input validation and sanitization on the key parameter to prevent directory traversal sequences from being processed.
Restrict access to the /store/:key endpoint, for example by adding authentication or network-level access controls.
Monitor and block suspicious requests containing URL-encoded traversal patterns.
If possible, update or patch the application once an official fix is released.
Can you explain this vulnerability to me?
CVE-2026-5013 is a path traversal vulnerability found in the elecV2P project, specifically in the unauthenticated HTTP GET endpoint `/store/:key`.
The vulnerability occurs because the endpoint takes the URL parameter `key` and directly passes it to the function `path.join` without any sanitization or validation. This allows an attacker to include URL-encoded directory traversal sequences (like `../`) in the `key` parameter.
By exploiting this, an attacker can escape the intended storage directory and access arbitrary files on the server, such as sensitive system files.
The attack can be carried out remotely without any authentication, making it more severe.
How can this vulnerability impact me? :
This vulnerability allows an attacker to read arbitrary files on the server hosting the elecV2P application.
An attacker can exploit this to access sensitive information such as configuration files, credentials, or system files like `/etc/passwd`.
Since the endpoint requires no authentication, any remote attacker can exploit this vulnerability, potentially leading to information disclosure and further attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted HTTP GET requests to the vulnerable endpoint /store/:key with URL-encoded directory traversal payloads and observing if arbitrary files are returned.
- Use curl or similar tools to send requests with traversal sequences, for example: curl -v "http://<target>/store/..%2F..%2Fetc%2Fpasswd"
- Monitor server responses for unexpected file contents such as the contents of /etc/passwd.
- Check server logs for unusual requests to /store/:key with encoded traversal sequences.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated remote attackers to perform path traversal and read arbitrary files on the server, potentially exposing sensitive data.
Such unauthorized access to sensitive files can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and protected health information.
Because the exploit can disclose confidential information without authentication, organizations using the affected software may face compliance risks related to data confidentiality and breach notification requirements.