| शीर्षक | elecV2 <=3.8.3 Remote Code Execution |
|---|
| विवरण | Remote Code Execution (RCE) vulnerability in elecV2P via the /webhook endpoint.
The /webhook endpoint accepts a rawcode parameter that is passed directly to runJSFile(). When JSON parsing fails, utils/string.js evaluates the input using new Function("return " + str), enabling arbitrary JavaScript execution including child_process calls. Confirmed via DNS callback. |
|---|
| स्रोत | ⚠️ https://github.com/elecV2/elecV2P/issues/195 |
|---|
| उपयोगकर्ता | ZAST.AI (UID 87884) |
|---|
| सबमिशन | 13/03/2026 05:27 AM (4 महीनों पहले) |
|---|
| संयम | 27/03/2026 03:11 PM (14 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 353896 [elecV2 elecV2P तक 3.8.3 JSON Parser /webhook runJSFile rawcode अधिकार वृद्धि] |
|---|
| अंक | 19 |
|---|