{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5012", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-27T14:11:35.365Z", "datePublished": "2026-03-28T19:15:11.947Z", "dateUpdated": "2026-03-30T14:53:04.134Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-28T19:15:11.947Z"}, "title": "elecV2 elecV2P rpc pm2run os command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "OS Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}], "affected": [{"vendor": "elecV2", "product": "elecV2P", "versions": [{"version": "3.8.0", "status": "affected"}, {"version": "3.8.1", "status": "affected"}, {"version": "3.8.2", "status": "affected"}, {"version": "3.8.3", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in elecV2 elecV2P up to 3.8.3. This issue affects the function pm2run of the file /rpc. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-27T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-27T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-27T15:16:55.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "ZAST.AI (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/353897", "name": "VDB-353897 | elecV2 elecV2P rpc pm2run os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/353897/cti", "name": "VDB-353897 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/779174", "name": "Submit #779174 | elecV2 <=3.8.3 Remote Code Execution", "tags": ["third-party-advisory"]}, {"url": "https://github.com/elecV2/elecV2P/issues/196", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/elecV2/elecV2P/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T12:58:58.841816Z", "id": "CVE-2026-5012", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:53:04.134Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5012", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T12:58:58.841816Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T13:14:28.928Z"}}], "cna": {"title": "elecV2 elecV2P rpc pm2run os command injection", "credits": [{"lang": "en", "type": "reporter", "value": "ZAST.AI (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "elecV2", "product": "elecV2P", "versions": [{"status": "affected", "version": "3.8.0"}, {"status": "affected", "version": "3.8.1"}, {"status": "affected", "version": "3.8.2"}, {"status": "affected", "version": "3.8.3"}]}], "timeline": [{"lang": "en", "time": "2026-03-27T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-27T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-27T15:16:55.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/353897", "name": "VDB-353897 | elecV2 elecV2P rpc pm2run os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/353897/cti", "name": "VDB-353897 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/779174", "name": "Submit #779174 | elecV2 <=3.8.3 Remote Code Execution", "tags": ["third-party-advisory"]}, {"url": "https://github.com/elecV2/elecV2P/issues/196", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/elecV2/elecV2P/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in elecV2 elecV2P up to 3.8.3. This issue affects the function pm2run of the file /rpc. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "OS Command Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "Command Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-28T19:15:11.947Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5012", "state": "PUBLISHED", "dateUpdated": "2026-03-30T14:53:04.134Z", "dateReserved": "2026-03-27T14:11:35.365Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-28T19:15:11.947Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in elecV2 elecV2P up to 3.8.3. This issue affects the function pm2run of the file /rpc. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "id": "CVE-2026-5012", "lastModified": "2026-03-30T13:26:07.647", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-28T20:16:16.237", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/elecV2/elecV2P/"}, {"source": "cna@vuldb.com", "url": "https://github.com/elecV2/elecV2P/issues/196"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/779174"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/353897"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/353897/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.8.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.8.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.8.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.8.3"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "elecV2P", "source": "cna", "vendor": "elecV2"}, "product": "elecv2p", "vendor": "elecv2"}], "analysis": {"en": {"generated_at": "2026-03-28T20:20:33.764726+00:00", "value": {"mitigation_remediation": ["Upgrade elecV2P to the latest available version that excludes the flawed pm2run implementation", "Remove or disable the pm2run RPC endpoint if upgrading is not immediately feasible", "Restrict network traffic to the RPC interface to trusted hosts only", "Regularly monitor the elecV2P repository and security advisories for a patch release", "Consider replacing the vulnerable component with an alternative if no fix is forthcoming"], "summary": {"action": "Immediate Patch", "impact": "Remote Command Execution"}, "threat_synthesis": {"affected_systems": "ElecV2 the elecV2P project is affected. The versions vulnerable are all releases published through 3.8.3. Earlier or later versions are not documented as impacted. The product is hosted on GitHub and actively maintained, but the maintainer has not yet issued a fix.", "description_and_impact": "The pm2run function in the /rpc handler of elecV2P can execute arbitrary operating-system commands when supplied with manipulated input. An attacker able to reach the RPC endpoint can inject shell commands, potentially gaining full system compromise. The flaw exists in all releases up to 3.8.3. The vulnerability is specifically an OS command injection (CWE\u201177/78) that compromises confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS rating is 6.9, indicating a medium severity impact. No EPSS score is published, and the issue is not in the CISA KEV catalog. The exploit code is publicly shared and the project has not yet released a patch, which increases the risk for anyone exposing the RPC endpoint over the network. Attackers can launch the injection remotely by sending crafted RPC requests, so systems that expose the endpoint to untrusted networks are at highest risk."}}}}, "created": "2026-03-29T20:32:00.822671+00:00", "updated": "2026-03-30T06:58:53.795182+00:00", "vendors": ["elecv2", "elecv2$PRODUCT$elecv2p"]}