{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5016", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-27T14:11:48.102Z", "datePublished": "2026-03-28T21:45:11.240Z", "dateUpdated": "2026-03-30T14:32:46.143Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-28T21:45:11.240Z"}, "title": "elecV2 elecV2P URL mock eAxios server-side request forgery", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "Server-Side Request Forgery"}]}], "affected": [{"vendor": "elecV2", "product": "elecV2P", "versions": [{"version": "3.8.0", "status": "affected"}, {"version": "3.8.1", "status": "affected"}, {"version": "3.8.2", "status": "affected"}, {"version": "3.8.3", "status": "affected"}], "modules": ["URL Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in elecV2 elecV2P up to 3.8.3. This affects the function eAxios of the file /mock of the component URL Handler. Such manipulation of the argument req leads to server-side request forgery. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-27T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-27T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-27T15:17:03.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "ZAST.AI (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/353901", "name": "VDB-353901 | elecV2 elecV2P URL mock eAxios server-side request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/353901/cti", "name": "VDB-353901 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/779181", "name": "Submit #779181 | elecV2 <=3.8.3 SSRF", "tags": ["third-party-advisory"]}, {"url": "https://github.com/elecV2/elecV2P/issues/202", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/elecV2/elecV2P/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T14:32:39.967987Z", "id": "CVE-2026-5016", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:32:46.143Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5016", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T14:32:39.967987Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:32:43.349Z"}}], "cna": {"title": "elecV2 elecV2P URL mock eAxios server-side request forgery", "credits": [{"lang": "en", "type": "reporter", "value": "ZAST.AI (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "elecV2", "modules": ["URL Handler"], "product": "elecV2P", "versions": [{"status": "affected", "version": "3.8.0"}, {"status": "affected", "version": "3.8.1"}, {"status": "affected", "version": "3.8.2"}, {"status": "affected", "version": "3.8.3"}]}], "timeline": [{"lang": "en", "time": "2026-03-27T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-27T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-27T15:17:03.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/353901", "name": "VDB-353901 | elecV2 elecV2P URL mock eAxios server-side request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/353901/cti", "name": "VDB-353901 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/779181", "name": "Submit #779181 | elecV2 <=3.8.3 SSRF", "tags": ["third-party-advisory"]}, {"url": "https://github.com/elecV2/elecV2P/issues/202", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/elecV2/elecV2P/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in elecV2 elecV2P up to 3.8.3. This affects the function eAxios of the file /mock of the component URL Handler. Such manipulation of the argument req leads to server-side request forgery. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "Server-Side Request Forgery"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-28T21:45:11.240Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5016", "state": "PUBLISHED", "dateUpdated": "2026-03-30T14:32:46.143Z", "dateReserved": "2026-03-27T14:11:48.102Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-28T21:45:11.240Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in elecV2 elecV2P up to 3.8.3. This affects the function eAxios of the file /mock of the component URL Handler. Such manipulation of the argument req leads to server-side request forgery. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet."}], "id": "CVE-2026-5016", "lastModified": "2026-03-30T13:26:07.647", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-28T22:15:58.120", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/elecV2/elecV2P/"}, {"source": "cna@vuldb.com", "url": "https://github.com/elecV2/elecV2P/issues/202"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/779181"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/353901"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/353901/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.8.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.8.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.8.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.8.3"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "elecV2P", "source": "cna", "vendor": "elecV2"}, "product": "elecv2p", "vendor": "elecv2"}], "analysis": {"en": {"generated_at": "2026-03-29T05:22:56.762828+00:00", "value": {"mitigation_remediation": ["Upgrade elecV2P to the latest available release that removes the SSRF flaw. If a new release is not yet available, the URL handler behind a network firewall and restrict outbound traffic to known, trusted endpoints. Apply an internal URL whitelist to block requests to non\u2011approved destinations. Monitor outbound request logs for unexpected target hosts and investigate any anomalies promptly."], "summary": {"action": "Apply Fix", "impact": "Server\u2011Side Request Forgery (SSRF) enabling remote attacks"}, "threat_synthesis": {"affected_systems": "The weakness affects the elecV2:elecV2P product, version 3.8.3 and earlier. Any deployment of these versions running the URL handler component is at risk.", "description_and_impact": "An SSRF flaw exists in the eAxios handler of the elecV2P URL module. The flaw arises when the argument \u2018req\u2019 passed to the /mock endpoint is manipulated, allowing an attacker to force the server to initiate HTTP requests to arbitrary internal or external hosts. The vulnerability can be leveraged from anywhere on the internet, and a publicly available exploit exists. Successful exploitation would give an attacker the ability to read or potentially modify data on internal services, compromising confidentiality, integrity, and potentially availability of those services.", "risk_and_exploitability": "With a CVSS score of 6.9 the risk is moderate, yet the absence of a public fix and the presence of an available exploit elevate the urgency. EPSS data is missing, and KEV does not list this issue, yet the remote nature of the attack means that containers or services exposed to the network could be compromised if the application is run without additional safeguards."}}}}, "created": "2026-03-29T20:31:57.146960+00:00", "updated": "2026-03-30T06:58:50.028276+00:00", "vendors": ["elecv2", "elecv2$PRODUCT$elecv2p"]}