CVE-2026-5014
Received Received - Intake
Path Traversal in elecV2 Wildcard Handler Enables Remote Exploit

Publication date: 2026-03-28

Last updated on: 2026-03-28

Assigner: VulDB

Description
A vulnerability was found in elecV2 elecV2P up to 3.8.3. The affected element is the function path.join of the file /log/ of the component Wildcard Handler. The manipulation results in path traversal. The attack may be performed from remote. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-28
Last Modified
2026-03-28
Generated
2026-06-16
AI Q&A
2026-03-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5014
EUVD
EUVD-2026-16947
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
elecv2 elecv2p to 3.8.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the elecV2 elecV2P software up to version 3.8.3, specifically in the function path.join within the /log/ directory of the Wildcard Handler component. It allows an attacker to perform a path traversal attack by manipulating the path.join function. This means an attacker can potentially access files and directories outside the intended scope by crafting malicious input. The attack can be executed remotely, and a public exploit is available.

Impact Analysis

The vulnerability can lead to unauthorized access to files and directories on the affected system due to path traversal. This can expose sensitive information stored outside the intended directories. Since the attack can be performed remotely without authentication, it increases the risk of data exposure or leakage.

Compliance Impact

The vulnerability allows unauthenticated remote attackers to perform path traversal and read arbitrary files on the server, including sensitive system files. This unauthorized access to potentially sensitive data could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Since the vulnerability exposes server files without authentication or validation, it increases the risk of data breaches and unauthorized disclosure, which are critical compliance concerns under these standards.

Detection Guidance

This vulnerability can be detected by attempting to access the vulnerable `/log/*` endpoint with crafted path traversal sequences to see if arbitrary files can be read without authentication.

A common detection method is to send HTTP GET requests with URL-encoded directory traversal payloads targeting sensitive files such as `/etc/passwd`.

  • Use curl to test the vulnerability by requesting a file outside the intended directory, for example: curl -i "http://<target>/log/.%2E/.%2E/.%2E/.%2E/etc/passwd"
  • Use a Python script or HTTP client to send a GET request to the `/log/*` endpoint with multiple `.%2E/` sequences to verify if the server returns the contents of arbitrary files.
  • Monitor network traffic for unusual requests to `/log/*` endpoints containing encoded traversal sequences such as `%2E%2E` or `.%2E`.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable `/log/*` and `/logs` endpoints to trusted users only, ideally requiring authentication.

Implement input validation and sanitization on the filename parameter to prevent directory traversal sequences from being processed by the `path.join` function.

If possible, apply patches or updates from the vendor once available, or temporarily disable the vulnerable endpoints to prevent exploitation.

  • Configure web application firewalls (WAF) or intrusion detection systems (IDS) to block requests containing suspicious path traversal patterns.
  • Review server logs for any suspicious access attempts to the `/log/*` endpoint and respond accordingly.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5014. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart