Submit #779173: elecV2 <=3.8.3 Remote Code Executioninfo

TitleelecV2 <=3.8.3 Remote Code Execution
DescriptionRemote Code Execution (RCE) vulnerability in elecV2P via the /webhook endpoint. The /webhook endpoint accepts a rawcode parameter that is passed directly to runJSFile(). When JSON parsing fails, utils/string.js evaluates the input using new Function("return " + str), enabling arbitrary JavaScript execution including child_process calls. Confirmed via DNS callback.
Source⚠️ https://github.com/elecV2/elecV2P/issues/195
User
 ZAST.AI (UID 87884)
Submission03/13/2026 05:27 (16 days ago)
Moderation03/27/2026 15:11 (14 days later)
StatusAccepted
VulDB entry353896 [elecV2 elecV2P up to 3.8.3 JSON Parser /webhook runJSFile rawcode code injection]
Points19

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!