CVE-2026-5011 is a code injection vulnerability identified in the elecV2 elecV2P software, specifically affecting versions 3.8.0 through 3.8.3. The flaw resides in the runJSFile function of the /webhook endpoint, which processes JSON input. An attacker can manipulate the 'rawcode' argument to inject malicious JavaScript code that the system executes, leading to arbitrary code execution on the server. This vulnerability is remotely exploitable over the network without requiring user interaction, though it requires low-level privileges (PR:L). The vulnerability has a CVSS 4.0 base score of 5.3, indicating medium severity, with network attack vector, low complexity, no user interaction, and limited scope and impact on confidentiality, integrity, and availability. The vulnerability was responsibly disclosed to the project maintainers, but no patch or official response has been issued as of the publication date. Public exploit code is available, increasing the risk of exploitation. The vulnerability's presence in a webhook component suggests it could be triggered by crafted HTTP requests, potentially allowing attackers to compromise the server hosting elecV2P, execute arbitrary commands, and manipulate system behavior or data.

If exploited, this vulnerability could allow attackers to execute arbitrary code remotely on servers running vulnerable versions of elecV2P. This can lead to unauthorized access, data manipulation, service disruption, or full system compromise. The impact extends to confidentiality breaches if sensitive data is accessed or exfiltrated, integrity violations through unauthorized code execution or data tampering, and availability issues if the system is destabilized or taken offline. Since the vulnerability is remotely exploitable without user interaction, attackers can automate attacks at scale, increasing risk to organizations relying on elecV2P for automation or webhook processing. The lack of an official patch increases exposure time, potentially inviting opportunistic attackers to exploit the vulnerability. Organizations may face operational disruptions, reputational damage, and compliance risks if exploited.

Organizations should immediately audit their use of elecV2P and identify any instances running versions 3.8.0 through 3.8.3. Until an official patch is released, mitigate risk by restricting network access to the /webhook endpoint using firewall rules or network segmentation to limit exposure to trusted sources only. Implement strict input validation and sanitization on the rawcode parameter if possible, or disable the runJSFile functionality if not essential. Monitor logs for unusual or suspicious webhook requests indicative of exploitation attempts. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block code injection patterns targeting this endpoint. Maintain up-to-date backups and prepare incident response plans for potential compromise. Engage with the vendor or community for updates and patches, and apply them promptly once available.