CVE-2026-2952

HIGH

Vaelsys 4.1.0 - Command Injection

Title source: llm

Description

A flaw has been found in Vaelsys 4.1.0. This vulnerability affects unknown code of the file /tree/tree_server.php of the component HTTP POST Request Handler. This manipulation of the argument xajaxargs causes os command injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Scores

CVSS v3 7.3
EPSS 0.0028
EPSS Percentile 51.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Classification

CWE
CWE-78 CWE-77
Status published

Affected Products (1)

vaelsys/vaelsys

Timeline

Published Feb 22, 2026
Tracked Since Feb 22, 2026