CVE-2026-5012
Published: 28 March 2026
Summary
CVE-2026-5012 is a medium-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A flaw has been identified in elecV2P versions up to 3.8.3 that permits OS command injection through the pm2run function in the /rpc endpoint. The issue stems from improper handling of input to this function, classified under CWE-77 and CWE-78, and carries a CVSS 4.0 score of 6.9 reflecting network-accessible attack conditions with limited impacts on confidentiality, integrity, and availability.
Remote attackers without authentication can supply crafted input to execute arbitrary operating system commands on the affected system. Publicly available exploit code exists for this vector, enabling unauthenticated parties to trigger the injection and achieve command execution on the host running the application.
The project repository and associated issue tracker were notified of the problem prior to disclosure, yet no response or patch has been issued by the maintainers. Reference materials consist primarily of the GitHub project page, issue 196, and Vuldb entries that document the vulnerability without providing mitigation guidance.
The EPSS score remains low and unchanged at 0.0221 with no upward movement observed since publication, while the existence of published exploit code indicates that proof-of-concept activity has occurred.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16943
Vulnerability details
A flaw has been found in elecV2 elecV2P up to 3.8.3. This issue affects the function pm2run of the file /rpc. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been…
more
published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in publicly accessible /rpc endpoint (pm2run) allows unauthenticated remote execution of arbitrary OS commands, directly enabling T1190 for initial access and T1059.004 for Unix shell command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Information input validation directly prevents OS command injection by enforcing proper sanitization of inputs to the vulnerable pm2run function in /rpc.
Flaw remediation ensures timely patching of the command injection vulnerability in elecV2/elecV2P versions up to 3.8.3.
Vulnerability scanning identifies the presence of CVE-2026-5012 and triggers remediation to mitigate the unpatched OS command injection risk.