CVE-2026-2952

Name of the Vulnerable Software and Affected Versions Vaelsys version 4.1.0

Description A flaw exists in Vaelsys 4.1.0 related to the HTTP POST Request Handler component. Specifically, manipulation of the xajaxargs argument within a request to the file '/tree/tree server.php' can lead to operating system command injection. This issue is exploitable remotely. The exploit has been published.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.