Description
A security flaw has been discovered in Vaelsys VaelsysV4 up to 5.1.0/5.4.0. This affects an unknown part of the file /grid/vgrid_server.php of the component Web interface. Performing a manipulation of the argument xajaxargs results in use of weak hash. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. Upgrading to version 5.1.1 and 5.4.1 is able to mitigate this issue. Upgrading the affected component is recommended.
Published: 2025-07-28
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure (weak hash may expose credentials or sensitive data)
Action: Apply Patch
AI Analysis

Impact

A flaw exists in Vaelsys VaelsysV4 where manipulating the xajaxargs parameter in the Web interface triggers the use of a weak hash algorithm. The weakness lies in the cryptographic handling of the argument, potentially allowing an attacker to recover hash values or infer stored secrets. This can lead to leakage of sensitive information, such as user credentials or configuration data, compromising confidentiality. The vulnerability is not a direct remote code execution flaw, but it facilitates unauthorized data disclosure through insecure hashing.

Affected Systems

The issue affects Vaelsys VaelsysV4 versions up to 5.1.0 and 5.4.0, specifically the file /grid/vgrid_server.php in the Web interface component. Users running any of these releases should verify that they are not using the affected build and consider an upgrade to the patched releases.

Risk and Exploitability

The CVSS score of 2.3 indicates low overall severity, and the EPSS score of less than 1% shows a very small chance of exploitation in the wild. The vulnerability is listed as not included in the CISA KEV catalog. Although the exploit is publicly available, it requires remote manipulation of a specific HTTP argument and is considered high complexity and difficult to successfully exploit. Nonetheless, because sensitive data may be compromised, immediate patching is recommended over passive monitoring.

Generated by OpenCVE AI on April 20, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Vaelsys VaelsysV4 application to at least version 5.1.1 or 5.4.1, which removes the vulnerable weak hash handling.
  • If an upgrade cannot occur immediately, restrict external access to the /grid/vgrid_server.php endpoint via firewall rules or IP whitelisting to limit the attack surface.
  • Review any custom code that processes xajaxargs or performs hash operations and replace insecure algorithms with cryptographically secure hash functions as recommended by CWE‑327 guidance.

Generated by OpenCVE AI on April 20, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22853 A vulnerability has been found in Vaelsys 4.1.0 and classified as problematic. This vulnerability affects unknown code of the file /grid/vgrid_server.php of the component MD4 Hash Handler. The manipulation of the argument xajaxargs leads to use of weak hash. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
References

Wed, 15 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Vaelsys 4.1.0 and classified as problematic. This vulnerability affects unknown code of the file /grid/vgrid_server.php of the component MD4 Hash Handler. The manipulation of the argument xajaxargs leads to use of weak hash. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. A security flaw has been discovered in Vaelsys VaelsysV4 up to 5.1.0/5.4.0. This affects an unknown part of the file /grid/vgrid_server.php of the component Web interface. Performing a manipulation of the argument xajaxargs results in use of weak hash. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. Upgrading to version 5.1.1 and 5.4.1 is able to mitigate this issue. Upgrading the affected component is recommended.
Title Vaelsys MD4 Hash vgrid_server.php weak hash Vaelsys VaelsysV4 Web interface vgrid_server.php weak hash
References
Metrics cvssV2_0

{'score': 2.1, 'vector': 'AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

 cvssV2_0

{'score': 2.1, 'vector': 'AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

Thu, 31 Jul 2025 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vaelsys:vaelsys:4.1.0:*:*:*:*:*:*:*

Tue, 29 Jul 2025 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Vaelsys
Vaelsys vaelsys
Vendors & Products Vaelsys
Vaelsys vaelsys

Mon, 28 Jul 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 28 Jul 2025 06:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Vaelsys 4.1.0 and classified as problematic. This vulnerability affects unknown code of the file /grid/vgrid_server.php of the component MD4 Hash Handler. The manipulation of the argument xajaxargs leads to use of weak hash. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Vaelsys MD4 Hash vgrid_server.php weak hash
Weaknesses CWE-327
CWE-328
References
Metrics cvssV2_0

{'score': 2.1, 'vector': 'AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Vaelsys Vaelsys
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-15T07:02:44.090Z

Reserved: 2025-07-26T16:14:24.601Z

Link: CVE-2025-8260

cve-icon Vulnrichment

Updated: 2025-07-28T15:57:59.502Z

cve-icon NVD

Status : Modified

Published: 2025-07-28T06:15:25.620

Modified: 2026-04-15T08:16:16.073

Link: CVE-2025-8260

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:30:06Z

Weaknesses