| Title | elecV2 <=3.8.3 SSRF |
|---|
| Description | The /mock endpoint accepts a request object and passes it directly to eAxios() without authentication or URL validation. With type: "req", the server fetches any attacker-supplied URL, enabling internal network scanning and data exfiltration. Confirmed via DNS callback.
|
|---|
| Source | ⚠️ https://github.com/elecV2/elecV2P/issues/202 |
|---|
| User | ZAST.AI (UID 87884) |
|---|
| Submission | 03/13/2026 05:31 (4 months ago) |
|---|
| Moderation | 03/27/2026 15:12 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 353901 [elecV2 elecV2P up to 3.8.3 URL /mock eAxios req server-side request forgery] |
|---|
| Points | 17 |
|---|