Cyber Resilience

CVE-2026-5016

Medium

Published: 28 March 2026

Published
28 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 19.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5016 is a medium-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-5016 is a server-side request forgery (SSRF) vulnerability affecting elecV2 and elecV2P versions up to 3.8.3. The issue resides in the eAxios function within the /mock file of the URL Handler component, where manipulation of the req argument enables the forgery. Assigned CWE-918, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling attackers to forge requests from the server to unintended destinations, such as internal services. A public exploit is available, increasing the risk of widespread use.

Advisories from VulDB and the project's GitHub repository note that the issue was reported early via elecV2/elecV2P issue #202, but the maintainers have not yet responded or released patches. No specific mitigations are detailed in the references; practitioners should monitor the GitHub repository for updates and consider network segmentation or disabling the affected component until remediation.

The exploit's public availability suggests potential for active exploitation, though no confirmed real-world incidents are reported in the provided data.

EU & UK References

Vulnerability details

A vulnerability was identified in elecV2 elecV2P up to 3.8.3. This affects the function eAxios of the file /mock of the component URL Handler. Such manipulation of the argument req leads to server-side request forgery. It is possible to launch…

more

the attack remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF in a network-accessible public-facing server component (URL handler) directly enables initial access via exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-6514Shared CWE-918
CVE-2026-44116Shared CWE-918
CVE-2026-21887Shared CWE-918
CVE-2026-31910Shared CWE-918
CVE-2026-48153Shared CWE-918
CVE-2026-45298Shared CWE-918
CVE-2026-39362Shared CWE-918
CVE-2026-31989Shared CWE-918
CVE-2025-27652Shared CWE-918
CVE-2026-42352Shared CWE-918

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates the req argument input to the eAxios function in the URL Handler, preventing manipulation that enables SSRF.

prevent

Monitors and controls communications at system boundaries to block forged outbound requests to internal or unintended destinations.

prevent

Enforces flow control policies restricting server-initiated requests to authorized destinations only, mitigating SSRF exploitation.

References