CVE-2026-2952 is a remote OS command injection vulnerability affecting Vaelsys version 4.1.0. The flaw exists in the HTTP POST Request Handler, specifically in the /tree/tree_server.php file, where the 'xajaxargs' parameter is improperly sanitized or validated. This allows an attacker to inject and execute arbitrary OS commands remotely without requiring authentication or user interaction. The vulnerability is exploitable over the network (AV:N), with low attack complexity (AC:L), and no privileges or user interaction needed (PR:N/UI:N). The impact affects confidentiality, integrity, and availability at a low level, as indicated by the CVSS vector. The vendor was notified early but has not issued any patch or response, and an exploit has been published publicly, increasing the risk of exploitation. No known exploits in the wild have been reported yet. This vulnerability can lead to unauthorized system control, data compromise, or service disruption on affected Vaelsys installations running version 4.1.0.

The vulnerability allows remote attackers to execute arbitrary OS commands on affected Vaelsys 4.1.0 systems, potentially leading to full system compromise. This can result in unauthorized data access or modification, disruption of services, and use of the compromised system as a foothold for further attacks within an organization’s network. Since no authentication is required, any attacker with network access to the vulnerable endpoint can exploit this flaw. The lack of vendor response and patches increases the window of exposure, raising the risk for organizations relying on Vaelsys 4.1.0. This can impact confidentiality, integrity, and availability of critical systems, especially in environments where Vaelsys is used for sensitive or operational functions.

Organizations should immediately restrict network access to the vulnerable Vaelsys 4.1.0 HTTP POST endpoint, ideally by implementing firewall rules or network segmentation to limit exposure. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'xajaxargs' parameter. Conduct thorough input validation and sanitization on all user-supplied data if custom modifications are possible. Monitor logs for unusual command execution patterns or unexpected system behavior. Since no official patch is available, consider upgrading to a later, unaffected version of Vaelsys if available or applying vendor-provided workarounds once released. Additionally, implement strict least privilege principles on the host OS to limit the impact of potential command execution. Regularly back up critical data and prepare incident response plans to quickly address any exploitation attempts.