{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5013", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-27T14:11:38.349Z", "datePublished": "2026-03-28T20:00:13.760Z", "dateUpdated": "2026-03-30T15:55:15.514Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-28T20:00:13.760Z"}, "title": "elecV2 elecV2P :key path.join path traversal", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "Path Traversal"}]}], "affected": [{"vendor": "elecV2", "product": "elecV2P", "versions": [{"version": "3.8.0", "status": "affected"}, {"version": "3.8.1", "status": "affected"}, {"version": "3.8.2", "status": "affected"}, {"version": "3.8.3", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in elecV2 elecV2P up to 3.8.3. Impacted is the function path.join of the file /store/:key. The manipulation of the argument URL leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-27T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-27T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-27T15:16:57.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "ZAST.AI (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/353898", "name": "VDB-353898 | elecV2 elecV2P :key path.join path traversal", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/353898/cti", "name": "VDB-353898 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/779177", "name": "Submit #779177 | elecV2 <=3.8.3 Path Traversal", "tags": ["third-party-advisory"]}, {"url": "https://github.com/elecV2/elecV2P/issues/199", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/elecV2/elecV2P/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T15:55:06.453165Z", "id": "CVE-2026-5013", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:55:15.514Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5013", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T15:55:06.453165Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:55:11.576Z"}}], "cna": {"title": "elecV2 elecV2P :key path.join path traversal", "credits": [{"lang": "en", "type": "reporter", "value": "ZAST.AI (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "elecV2", "product": "elecV2P", "versions": [{"status": "affected", "version": "3.8.0"}, {"status": "affected", "version": "3.8.1"}, {"status": "affected", "version": "3.8.2"}, {"status": "affected", "version": "3.8.3"}]}], "timeline": [{"lang": "en", "time": "2026-03-27T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-27T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-27T15:16:57.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/353898", "name": "VDB-353898 | elecV2 elecV2P :key path.join path traversal", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/353898/cti", "name": "VDB-353898 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/779177", "name": "Submit #779177 | elecV2 <=3.8.3 Path Traversal", "tags": ["third-party-advisory"]}, {"url": "https://github.com/elecV2/elecV2P/issues/199", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/elecV2/elecV2P/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in elecV2 elecV2P up to 3.8.3. Impacted is the function path.join of the file /store/:key. The manipulation of the argument URL leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "Path Traversal"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-28T20:00:13.760Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5013", "state": "PUBLISHED", "dateUpdated": "2026-03-30T15:55:15.514Z", "dateReserved": "2026-03-27T14:11:38.349Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-28T20:00:13.760Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in elecV2 elecV2P up to 3.8.3. Impacted is the function path.join of the file /store/:key. The manipulation of the argument URL leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "id": "CVE-2026-5013", "lastModified": "2026-03-30T13:26:07.647", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-28T20:16:16.470", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/elecV2/elecV2P/"}, {"source": "cna@vuldb.com", "url": "https://github.com/elecV2/elecV2P/issues/199"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/779177"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/353898"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/353898/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.8.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.8.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.8.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.8.3"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "elecV2P", "source": "cna", "vendor": "elecV2"}, "product": "elecv2p", "vendor": "elecv2"}], "analysis": {"en": {"generated_at": "2026-03-28T21:20:39.438063+00:00", "value": {"mitigation_remediation": ["Upgrade elecV2P to a version released after 3.8.3 that patches the path.join traversal bug.", "Limit access to the /store/:key endpoint so that only authenticated or trusted users can invoke it.", "Validate and sanitize the :key parameter to remove any '..' or other traversal sequences before passing it to path.join.", "Monitor web server logs for anomalous requests targeting the /store endpoint and investigate suspicious activity."], "summary": {"action": "Apply Patch", "impact": "Remote Path Traversal"}, "threat_synthesis": {"affected_systems": "This issue affects the elecV2 elecV2P project, specifically all releases up to and including version 3.8.3. The path traversal occurs in the code that processes the :key parameter in the /store route of the application.", "description_and_impact": "The vulnerability resides in the path.join function used to process the :key argument of the /store endpoint. An attacker can manipulate the URL to include path traversal sequences, allowing the application to read or write files outside the intended directory. This bypasses the intended confinement of user\u2011supplied data and can lead to disclosure of sensitive files or modification of critical resources, as dictated by CWE\u201122.", "risk_and_exploitability": "The severity is scored 6.9 on the CVSS scale, indicating moderate risk. No EPSS value is available, and the vulnerability is not currently listed in the CISA KEV catalog. The description states that the attack can be carried out remotely via a crafted URL, and the public release of the exploit confirms that remote exploitation is feasible. Without mitigation, an attacker with network access to the server could send a specially crafted request to the /store endpoint and traverse directories to read or modify arbitrary files."}}}}, "created": "2026-03-29T20:31:59.915908+00:00", "updated": "2026-03-30T06:58:52.811549+00:00", "vendors": ["elecv2", "elecv2$PRODUCT$elecv2p"]}