CVE-2026-2952 is an OS command injection vulnerability identified in Vaelsys version 4.1.0, affecting the HTTP POST request handler component located in the /tree/tree_server.php file. The vulnerability is triggered by manipulating the xajaxargs argument, which is not properly sanitized or validated, allowing an attacker to inject arbitrary operating system commands. This injection flaw enables remote attackers to execute commands on the underlying server without requiring any authentication or user interaction, making exploitation straightforward. The vulnerability has a CVSS 4.0 base score of 6.9, reflecting medium severity, with network attack vector, low complexity, and no privileges or user interaction needed. The impact includes potential unauthorized access, data manipulation, and service disruption. Despite early notification, the vendor has not issued a patch or response, and a public exploit is available, increasing the risk of exploitation. The vulnerability affects only version 4.1.0 of Vaelsys, and no other versions have been reported vulnerable. The lack of vendor response and patch availability necessitates immediate defensive measures by users of this software.

The vulnerability allows remote attackers to execute arbitrary OS commands on affected Vaelsys servers, potentially leading to full system compromise. This can result in unauthorized data access, data modification or deletion, disruption of service, and use of the compromised system as a foothold for further attacks within an organization’s network. The absence of authentication and user interaction requirements significantly increases the attack surface and ease of exploitation. Organizations relying on Vaelsys 4.1.0 for critical operations may face confidentiality breaches, integrity violations, and availability outages. The published exploit increases the likelihood of active exploitation attempts. The vendor’s lack of response and patch availability prolongs exposure and risk. This threat is particularly concerning for environments where Vaelsys is internet-facing or accessible by untrusted networks.

Since no official patch is available, organizations should implement immediate compensating controls. These include restricting network access to the Vaelsys server by firewall rules or VPNs to limit exposure to trusted users only. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious HTTP POST requests containing unusual or malicious xajaxargs parameters. Conduct thorough input validation and sanitization on the server side if possible by modifying the application code or deploying runtime application self-protection (RASP) tools. Monitor logs for unusual command execution patterns or unexpected system behavior. Isolate the affected server from critical network segments to limit lateral movement. Plan for rapid patch deployment once the vendor releases an official fix. Additionally, consider migrating to alternative software if the vendor remains unresponsive. Regular backups and incident response readiness are essential to mitigate potential damage.