CVE-2026-2952

HighPublic PoC

Published: 22 February 2026

Published

22 February 2026

Modified

25 February 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0033 56.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A flaw has been found in Vaelsys 4.1.0. This vulnerability affects unknown code of the file /tree/tree_server.php of the component HTTP POST Request Handler. This manipulation of the argument xajaxargs causes os command injection. The attack is possible to be…

carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates the xajaxargs argument in HTTP POST requests to /tree/tree_server.php, directly preventing OS command injection exploitation.

SI-2 Flaw Remediation good match

prevent

Identifies, reports, and corrects the specific OS command injection flaw in the HTTP POST Request Handler component.

SI-4 System Monitoring partial match

detect

Monitors the system for indicators of OS command injection attacks, such as anomalous command execution or network behavior.

Security SummaryAI

CVE-2026-2952 is an OS command injection vulnerability (CWE-77, CWE-78) affecting Vaelsys version 4.1.0. The flaw exists in unknown code within the file /tree/tree_server.php of the HTTP POST Request Handler component, where manipulation of the xajaxargs argument enables the injection.

The vulnerability has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating it can be exploited remotely by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation allows attackers to execute arbitrary operating system commands on the affected system.

Advisories referenced on VulDB and a GitHub issue detail the vulnerability and note that an exploit has been published and may be used. The vendor was contacted early regarding disclosure but did not respond, with no patches or specific mitigations mentioned in the available information.

Details

CWE(s): CWE-77 CWE-78

Affected Products

vaelsys

4.1.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

OS command injection in a public-facing web application (PHP HTTP POST handler) enables exploitation of public-facing apps (T1190) and arbitrary command execution via OS command interpreters (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/CVE-Hunter-Leo/CVE/issues/10
Exploit, Issue Tracking, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.347318
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.347318
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.755166
Third Party Advisory, VDB Entry · cna@vuldb.com