CVE-2026-2952 | Vaelsys 4.1.0 HTTP POST Request /tree/tree_server.php xajaxargs os command injection

Inserito da Angelo Barbosa | Feb 21, 2026 | CVE

A vulnerability was found in Vaelsys 4.1.0. It has been classified as critical. This vulnerability affects unknown code of the file /tree/tree_server.php of the component HTTP POST Request Handler. This manipulation of the argument xajaxargs causes os command injection.

This vulnerability is tracked as CVE-2026-2952. The attack is possible to be carried out remotely. Moreover, an exploit is present.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-2952 | Vaelsys 4.1.0 HTTP POST Request /tree/tree_server.php xajaxargs os command injection

Post correlati

CVE-2023-47141 | IBM DB2/DB2 Connect Server 11.5 on Linux Query denial of service (XFDB-270264)

CVE-2025-9339 | Simple ERP up to 6.30@a04.2 Warehouse Document Filtering Form sql injection

CVE-2026-1335 | Dassault Systèmes SOLIDWORKS eDrawings 2025/2026 EPRT File Parser out-of-bounds write

CVE-2023-48419 | Google Nest Mini 1.56.356012 WiFi privileges management