Cyber Resilience

CVE-2026-5012

Medium

Published: 28 March 2026

Published
28 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0221 84.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5012 is a medium-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A flaw has been identified in elecV2P versions up to 3.8.3 that permits OS command injection through the pm2run function in the /rpc endpoint. The issue stems from improper handling of input to this function, classified under CWE-77 and CWE-78, and carries a CVSS 4.0 score of 6.9 reflecting network-accessible attack conditions with limited impacts on confidentiality, integrity, and availability.

Remote attackers without authentication can supply crafted input to execute arbitrary operating system commands on the affected system. Publicly available exploit code exists for this vector, enabling unauthenticated parties to trigger the injection and achieve command execution on the host running the application.

The project repository and associated issue tracker were notified of the problem prior to disclosure, yet no response or patch has been issued by the maintainers. Reference materials consist primarily of the GitHub project page, issue 196, and Vuldb entries that document the vulnerability without providing mitigation guidance.

The EPSS score remains low and unchanged at 0.0221 with no upward movement observed since publication, while the existence of published exploit code indicates that proof-of-concept activity has occurred.

EU & UK References

Vulnerability details

A flaw has been found in elecV2 elecV2P up to 3.8.3. This issue affects the function pm2run of the file /rpc. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been…

more

published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection in publicly accessible /rpc endpoint (pm2run) allows unauthenticated remote execution of arbitrary OS commands, directly enabling T1190 for initial access and T1059.004 for Unix shell command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-9454Shared CWE-77, CWE-78
CVE-2026-6116Shared CWE-77, CWE-78
CVE-2026-6158Shared CWE-77, CWE-78
CVE-2026-7138Shared CWE-77, CWE-78
CVE-2025-9387Shared CWE-77, CWE-78
CVE-2025-15472Shared CWE-77, CWE-78
CVE-2026-2260Shared CWE-77, CWE-78
CVE-2026-9385Shared CWE-77, CWE-78
CVE-2026-4465Shared CWE-77, CWE-78
CVE-2026-7125Shared CWE-77, CWE-78

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Information input validation directly prevents OS command injection by enforcing proper sanitization of inputs to the vulnerable pm2run function in /rpc.

prevent

Flaw remediation ensures timely patching of the command injection vulnerability in elecV2/elecV2P versions up to 3.8.3.

detectrespond

Vulnerability scanning identifies the presence of CVE-2026-5012 and triggers remediation to mitigate the unpatched OS command injection risk.

References