Description
A weakness has been identified in Vaelsys VaelsysV4 4.1.0. This vulnerability affects unknown code of the file /grid/vgrid_server.php of the component User Creation Handler. Executing a manipulation can lead to improper authorization. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The real existence of this vulnerability is still doubted at the moment. The vendor explains: "Based on Vaelsys' analysis, the reported behavior does not allow actions beyond those already permitted to authenticated administrative users, and no change in system configuration or operational practices is necessary."
Published: 2025-07-28
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper Authorization – Potential Unauthorized User Creation within Admin Scope
Action: Apply Patch
AI Analysis

Impact

A weakness in Vaelsys VaelsysV4 4.1.0’s user creation handler located at "/grid/vgrid_server.php" allows a remote attacker to manipulate input and bypass standard authorization checks during account creation. The vendor’s analysis states that the resulting behavior does not grant any privileges beyond those already permitted to authenticated administrative users; it simply enables account creation that administrators could otherwise perform. Consequently, an attacker may generate additional user accounts but the impact is limited to the authority level of existing administrators, not an escalation to higher privileges.

Affected Systems

Vaelsys VaelsysV4 version 4.1.0 is identified as affected. The vulnerability resides in the code path of the vgrid_server.php component responsible for handling user creation. No other versions or products are listed in the advisory.

Risk and Exploitability

With a CVSS score of 6.9, this vulnerability is classified as moderate severity. The EPSS score of less than 1% indicates a very low probability of exploitation at present, and it is not listed in the CISA KEV catalog. The attack vector is remote, and a public exploit is available, so while the threat is moderate, organizations should be aware that an attacker could create accounts within the administrative scope if the underlying authorization controls are not enforced.

Generated by OpenCVE AI on April 22, 2026 at 12:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Vaelsys VaelsysV4 to the latest patch released for the vgrid_server.php authorization flaw (see vendor advisory).
  • Restrict direct access to "/grid/vgrid_server.php" so that only administrator users can invoke the endpoint, using role‑based access controls or firewall rules.
  • Enable logging of all user creation events and perform regular audits to detect any unexpected account additions.

Generated by OpenCVE AI on April 22, 2026 at 12:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22856 A vulnerability was found in Vaelsys 4.1.0 and classified as critical. This issue affects some unknown processing of the file /grid/vgrid_server.php of the component User Creation Handler. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
References

Wed, 15 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Vaelsys 4.1.0 and classified as critical. This issue affects some unknown processing of the file /grid/vgrid_server.php of the component User Creation Handler. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. A weakness has been identified in Vaelsys VaelsysV4 4.1.0. This vulnerability affects unknown code of the file /grid/vgrid_server.php of the component User Creation Handler. Executing a manipulation can lead to improper authorization. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The real existence of this vulnerability is still doubted at the moment. The vendor explains: "Based on Vaelsys' analysis, the reported behavior does not allow actions beyond those already permitted to authenticated administrative users, and no change in system configuration or operational practices is necessary."
Title Vaelsys User Creation vgrid_server.php improper authorization Vaelsys VaelsysV4 User Creation vgrid_server.php improper authorization
References

Thu, 31 Jul 2025 17:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:a:vaelsys:vaelsys:4.1.0:*:*:*:*:*:*:*

Tue, 29 Jul 2025 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Vaelsys
Vaelsys vaelsys
Vendors & Products Vaelsys
Vaelsys vaelsys

Mon, 28 Jul 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 28 Jul 2025 06:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Vaelsys 4.1.0 and classified as critical. This issue affects some unknown processing of the file /grid/vgrid_server.php of the component User Creation Handler. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Vaelsys User Creation vgrid_server.php improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Vaelsys Vaelsys
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-15T07:13:54.724Z

Reserved: 2025-07-26T16:14:28.085Z

Link: CVE-2025-8261

cve-icon Vulnrichment

Updated: 2025-07-28T15:53:49.115Z

cve-icon NVD

Status : Modified

Published: 2025-07-28T07:15:25.140

Modified: 2026-04-15T08:16:16.263

Link: CVE-2025-8261

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:00:09Z

Weaknesses