CVE-2026-5016
Published: 28 March 2026
Summary
CVE-2026-5016 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates the req argument input to the eAxios function in the URL Handler, preventing manipulation that enables SSRF.
Monitors and controls communications at system boundaries to block forged outbound requests to internal or unintended destinations.
Enforces flow control policies restricting server-initiated requests to authorized destinations only, mitigating SSRF exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in a network-accessible public-facing server component (URL handler) directly enables initial access via exploitation of a public-facing application.
NVD Description
A vulnerability was identified in elecV2 elecV2P up to 3.8.3. This affects the function eAxios of the file /mock of the component URL Handler. Such manipulation of the argument req leads to server-side request forgery. It is possible to launch…
more
the attack remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
Deeper analysisAI
CVE-2026-5016 is a server-side request forgery (SSRF) vulnerability affecting elecV2 and elecV2P versions up to 3.8.3. The issue resides in the eAxios function within the /mock file of the URL Handler component, where manipulation of the req argument enables the forgery. Assigned CWE-918, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling attackers to forge requests from the server to unintended destinations, such as internal services. A public exploit is available, increasing the risk of widespread use.
Advisories from VulDB and the project's GitHub repository note that the issue was reported early via elecV2/elecV2P issue #202, but the maintainers have not yet responded or released patches. No specific mitigations are detailed in the references; practitioners should monitor the GitHub repository for updates and consider network segmentation or disabling the affected component until remediation.
The exploit's public availability suggests potential for active exploitation, though no confirmed real-world incidents are reported in the provided data.
Details
- CWE(s)