Cyber Posture

CVE-2026-2952

HighPublic PoC

Published: 22 February 2026

Published
22 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0033 56.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2952 is a high-severity Command Injection (CWE-77) vulnerability in Vaelsys Vaelsys. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Validates the xajaxargs argument in HTTP POST requests to /tree/tree_server.php, directly preventing OS command injection exploitation.

SI-2 Flaw Remediation good match
prevent

Identifies, reports, and corrects the specific OS command injection flaw in the HTTP POST Request Handler component.

SI-4 System Monitoring partial match
detect

Monitors the system for indicators of OS command injection attacks, such as anomalous command execution or network behavior.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

OS command injection in a public-facing web application (PHP HTTP POST handler) enables exploitation of public-facing apps (T1190) and arbitrary command execution via OS command interpreters (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A flaw has been found in Vaelsys 4.1.0. This vulnerability affects unknown code of the file /tree/tree_server.php of the component HTTP POST Request Handler. This manipulation of the argument xajaxargs causes os command injection. The attack is possible to be…

more

carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2026-2952 is an OS command injection vulnerability (CWE-77, CWE-78) affecting Vaelsys version 4.1.0. The flaw exists in unknown code within the file /tree/tree_server.php of the HTTP POST Request Handler component, where manipulation of the xajaxargs argument enables the injection.

The vulnerability has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating it can be exploited remotely by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation allows attackers to execute arbitrary operating system commands on the affected system.

Advisories referenced on VulDB and a GitHub issue detail the vulnerability and note that an exploit has been published and may be used. The vendor was contacted early regarding disclosure but did not respond, with no patches or specific mitigations mentioned in the available information.

Details

CWE(s)
CWE-77CWE-78

Affected Products

vaelsys
vaelsys
4.1.0

CVEs Like This One

CVE-2025-8259Same product: Vaelsys Vaelsys
CVE-2025-8261Same product: Vaelsys Vaelsys
CVE-2025-1546Shared CWE-77, CWE-78
CVE-2026-7062Shared CWE-77, CWE-78
CVE-2025-1536Shared CWE-77, CWE-78
CVE-2026-1544Shared CWE-77, CWE-78
CVE-2026-4585Shared CWE-77, CWE-78
CVE-2025-15501Shared CWE-77, CWE-78
CVE-2026-7698Shared CWE-77, CWE-78
CVE-2025-59740Shared CWE-77, CWE-78

References