CVE-2026-2952 | Vaelsys 4.1.0 HTTP POST Request /tree/tree_server.php xajaxargs os command injection

A vulnerability was found in Vaelsys 4.1.0. It has been classified as critical. This vulnerability affects unknown code of the file /tree/tree_server.php of the component HTTP POST Request Handler. This manipulation of the argument xajaxargs causes os command injection.

This vulnerability is tracked as CVE-2026-2952. The attack is possible to be carried out remotely. Moreover, an exploit is present.

The vendor was contacted early about this disclosure but did not respond in any way.VulDB Recent EntriesRead More