CVE-2026-5013 is a path traversal vulnerability affecting elecV2 elecV2P software versions 3.8.0 through 3.8.3. The vulnerability arises from improper sanitization of user-supplied input in the path.join function within the /store/:key endpoint. Attackers can craft malicious URL parameters to traverse directories and access files outside the intended directory scope. This can lead to unauthorized reading of sensitive files on the server, such as configuration files, credentials, or other protected data. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P) reflects network attack vector, low attack complexity, no privileges or user interaction needed, and partial confidentiality impact. Although the vulnerability was responsibly disclosed early, the vendor has not yet provided a patch or mitigation guidance. Public disclosure of the exploit code increases the likelihood of exploitation attempts in the wild. The lack of known exploits currently in the wild suggests limited active exploitation but does not preclude future attacks. Organizations relying on elecV2P should consider immediate risk assessments and protective measures.

The primary impact of CVE-2026-5013 is unauthorized disclosure of sensitive information due to path traversal, which can compromise confidentiality. Attackers could access configuration files, credentials, or other sensitive data stored on the server, potentially leading to further compromise or lateral movement within the network. Although the vulnerability does not directly affect integrity or availability, the exposure of sensitive files can facilitate more severe attacks. The ease of exploitation—no authentication or user interaction required—means attackers can remotely exploit this vulnerability at scale. Organizations using elecV2P in critical infrastructure, IoT deployments, or automation systems could face operational risks if sensitive data is leaked. The absence of a vendor patch increases the window of exposure, raising the urgency for mitigation. Overall, the threat poses a moderate risk but could escalate if combined with other vulnerabilities or targeted attacks.

Since no official patch is currently available, organizations should implement the following mitigations: 1) Restrict network access to the elecV2P service using firewalls or network segmentation to limit exposure to trusted users only. 2) Employ web application firewalls (WAFs) or intrusion prevention systems (IPS) with rules to detect and block path traversal patterns in URL parameters, such as sequences containing '../' or encoded variants. 3) Monitor server logs for suspicious access patterns targeting the /store/:key endpoint, including unusual file access attempts or directory traversal strings. 4) If possible, temporarily disable or restrict the vulnerable endpoint until a patch is released. 5) Conduct a thorough audit of files accessible via the service to identify and secure sensitive data that could be exposed. 6) Prepare for rapid deployment of patches once the vendor releases a fix. 7) Educate security teams about this vulnerability and ensure incident response plans include detection and containment strategies for path traversal attacks. These targeted actions go beyond generic advice and focus on immediate risk reduction given the current lack of vendor remediation.