CVE-2025-8260

LOW

Vaelsys - Broken Cryptographic Algorithm

Title source: rule

Description

A security flaw has been discovered in Vaelsys VaelsysV4 up to 5.1.0/5.4.0. This affects an unknown part of the file /grid/vgrid_server.php of the component Web interface. Performing a manipulation of the argument xajaxargs results in use of weak hash. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. Upgrading to version 5.1.1 and 5.4.1 is able to mitigate this issue. Upgrading the affected component is recommended.

References (8)

[Vdb Entry, Technical Description] https://vuldb.com/vuln/317848

[Signature, Permissions Required] https://vuldb.com/vuln/317848/cti

[Third Party Advisory] https://vuldb.com/submit/616922

[Exploit, Third Party Advisory] https://github.com/waiwai24/0101/blob/main/CVEs/Vaelsys/Unauthorized_Access_Leads_to_Sensitive_Information_Leakage_in_Vaelsys_V4_Platform.md

View Exploit ZIP pw:eip

[Patch] https://vaelsys.github.io/security-advisory/advisories/VSEC_V4_2025_07_0002.html

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.317848

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.317848

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.616922

Scores

CVSS v3 3.1

EPSS 0.0004

EPSS Percentile 13.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-327 CWE-328

Status published

Products (9)

vaelsys/vaelsys 4.1.0

Vaelsys/VaelsysV4 5.0

Vaelsys/VaelsysV4 5.1

Vaelsys/VaelsysV4 5.1.0

Vaelsys/VaelsysV4 5.1.1

Vaelsys/VaelsysV4 5.2

Vaelsys/VaelsysV4 5.3

Vaelsys/VaelsysV4 5.4.0

Vaelsys/VaelsysV4 5.4.1

Published Jul 28, 2025

Tracked Since Feb 18, 2026