Submit #779174: elecV2 <=3.8.3 Remote Code Executioninfo

Title	elecV2 <=3.8.3 Remote Code Execution
Description	The /rpc endpoint requires no authentication. The pm2run method concatenates params[0] directly into exec('pm2 start ' + params[0]) without sanitization, enabling OS command injection. Confirmed by reading /etc/passwd from the response.
Source	⚠️ https://github.com/elecV2/elecV2P/issues/196
User	ZAST.AI (UID 87884)
Submission	03/13/2026 05:28 (16 days ago)
Moderation	03/27/2026 15:11 (14 days later)
Status	Accepted
VulDB entry	353897 [elecV2 elecV2P up to 3.8.3 /rpc pm2run os command injection]
Points	17

Do you know our Splunk app?

Download it now for free!