关键信息 Title: VaelSys V4 4.1.0 Command Injection / Remote Code Execution Description: A critical vulnerability in VaelSys V4 Platform v4.1.0 allows for Remote Code Execution (RCE) via the endpoint due to improper neutralization of special elements in an OS command within the parameter. The issue is in the function that does not sanitize the input passed in the tag. The user-supplied string is concatenated into a system-level shell command (e.g., using PHP , , ). Injecting shell metacharacters can append arbitrary OS commands. Exploit Example: A crafted POST request to with the payload creates a PHP webshell. Access to confirms successful execution. Source: https://github.com/CVE-Hunter-Leo/CVE/issues/10 User: CW.Wong (UID 88449) Submission: Date: 02/10/2026 07:59 AM Moderation: 02/21/2026 10:06 PM Status: Accepted VulDB Entry: ID: 347318 Description: VaelSys 4.1.0 HTTP POST Request /tree/tree_server.php xajaxargs os command injection Points: 20