Cyber Resilience

CVE-2026-2952

MediumPublic PoC

Published: 22 February 2026

Published
22 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0452 90.3th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2952 is a medium-severity Command Injection (CWE-77) vulnerability in Vaelsys Vaelsys. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2952 is an OS command injection vulnerability (CWE-77, CWE-78) affecting Vaelsys version 4.1.0. The flaw exists in unknown code within the file /tree/tree_server.php of the HTTP POST Request Handler component, where manipulation of the xajaxargs argument enables the injection.

The vulnerability has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating it can be exploited remotely by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation allows attackers to execute arbitrary operating system commands on the affected system.

Advisories referenced on VulDB and a GitHub issue detail the vulnerability and note that an exploit has been published and may be used. The vendor was contacted early regarding disclosure but did not respond, with no patches or specific mitigations mentioned in the available information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw has been found in Vaelsys 4.1.0. This vulnerability affects unknown code of the file /tree/tree_server.php of the component HTTP POST Request Handler. This manipulation of the argument xajaxargs causes os command injection. The attack is possible to be…

more

carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

OS command injection in a public-facing web application (PHP HTTP POST handler) enables exploitation of public-facing apps (T1190) and arbitrary command execution via OS command interpreters (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-8259Same product: Vaelsys Vaelsys
CVE-2025-8261Same product: Vaelsys Vaelsys
CVE-2026-7062Shared CWE-77, CWE-78
CVE-2025-1676Shared CWE-77, CWE-78
CVE-2026-1544Shared CWE-77, CWE-78
CVE-2025-1536Shared CWE-77, CWE-78
CVE-2025-59740Shared CWE-77, CWE-78
CVE-2026-7590Shared CWE-77, CWE-78
CVE-2026-4585Shared CWE-77, CWE-78
CVE-2025-59736Shared CWE-77, CWE-78

Affected Assets

vaelsys
vaelsys
4.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates the xajaxargs argument in HTTP POST requests to /tree/tree_server.php, directly preventing OS command injection exploitation.

prevent

Identifies, reports, and corrects the specific OS command injection flaw in the HTTP POST Request Handler component.

detect

Monitors the system for indicators of OS command injection attacks, such as anomalous command execution or network behavior.

References