Home

Description

A weakness has been identified in Vaelsys VaelsysV4 4.1.0. This vulnerability affects unknown code of the file /grid/vgrid_server.php of the component User Creation Handler. Executing a manipulation can lead to improper authorization. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The real existence of this vulnerability is still doubted at the moment. The vendor explains: "Based on Vaelsys' analysis, the reported behavior does not allow actions beyond those already permitted to authenticated administrative users, and no change in system configuration or operational practices is necessary."

PUBLISHED Reserved 2025-07-26 | Published 2025-07-28 | Updated 2026-04-15 | Assigner VulDB




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
HIGH: 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
HIGH: 7.3CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
7.5AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

Problem types

Improper Authorization

Incorrect Privilege Assignment

Product status

4.1.0
affected

Timeline

2025-07-26:VulDB entry created
2026-03-20:Advisory disclosed
2026-04-15:VulDB entry last update

Credits

waiwai24 (VulDB User) reporter

security_vaelsys (VulDB User) analyst

VulDB CNA Team coordinator

References

vuldb.com/vuln/317849 (VDB-317849 | Vaelsys VaelsysV4 User Creation vgrid_server.php improper authorization) vdb-entry technical-description

vuldb.com/vuln/317849/cti (VDB-317849 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/submit/616924 (Submit #616924 | Vaelsys Vaelsys V4 v4.1.0 Unauthorized User Creation Vulnerability) third-party-advisory

github.com/...Vulnerability_Exists_in_Vaelsys_V4_Platform.md exploit

vaelsys.github.io/...ry/advisories/VSEC_V4_2025_07_0003.html related

cve.org (CVE-2025-8261)

nvd.nist.gov (CVE-2025-8261)

Download JSON