Submit #779180: elecV2P <=3.8.3 Reflected XSSinfo

TitleelecV2P <=3.8.3 Reflected XSS
DescriptionThe /logs endpoint reflects the filename parameter directly into HTML output via res.write(... ${log} ...) without escaping. An attacker can inject arbitrary HTML/JavaScript through the filename value, executing in any visitor's browser. No authentication required.
Source⚠️ https://github.com/elecV2/elecV2P/issues/201
User
 ZAST.AI (UID 87884)
Submission03/13/2026 05:30 (16 days ago)
Moderation03/27/2026 15:12 (14 days later)
StatusAccepted
VulDB entry353900 [elecV2 elecV2P up to 3.8.3 Endpoint /logs filename cross site scripting]
Points18

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!