CVE-2026-5013

MEDIUM

elecV2 elecV2P :key path.join path traversal

Title source: cna

Description

A vulnerability has been found in elecV2 elecV2P up to 3.8.3. Impacted is the function path.join of the file /store/:key. The manipulation of the argument URL leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

References (5)

[Vdb Entry, Technical Description] https://vuldb.com/vuln/353898

[Signature, Permissions Required] https://vuldb.com/vuln/353898/cti

[Third Party Advisory] https://vuldb.com/submit/779177

[Exploit] https://github.com/elecV2/elecV2P/issues/199

[Product] https://github.com/elecV2/elecV2P/

Scores

CVSS v3 5.3

EPSS 0.0002

EPSS Percentile 3.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-22

Status published

Products (4)

elecV2/elecV2P 3.8.0

elecV2/elecV2P 3.8.1

elecV2/elecV2P 3.8.2

elecV2/elecV2P 3.8.3

Published Mar 28, 2026

Tracked Since Mar 29, 2026