CVE-2026-49141

WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contactid in the POST request body without tenant ownership...

CVE-2026-49141

WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contactid in the POST request body without tenant ownership...

CVE-2026-49141 WACRM Authorization Bypass via Automation Engine Endpoint

WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contactid in the POST request body without tenant ownership...

EUVD-2026-35194

WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contactid in the POST request body without tenant ownership...

CVE-2026-49141

WACRM vulnerability CVE-2026-49141: auth bypass in the automation engine allows an authenticated attacker to access/modify contacts of other tenants by sending a caller-controlled contact_id in a POST body, bypassing tenant ownership verification. Exploitation occurs via the service-role client t...

PT-2026-47450

Name of the Vulnerable Software and Affected Versions WACRM versions prior to commit 73041bf Description An authorization bypass exists in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants. By providing an arbitrary contact id in th...

EUVD-2026-22303

A Broken Object-Level Authorization BOLA in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request...

CVE-2025-14294

CVE-2025-14294 : Razorpay for WooCommerce (WordPress) is vulnerable to unauthorized modification of order data due to a broken authentication check in getCouponList() caused by checkAuthCredentials() always returning true. This permits unauthenticated attackers to modify billing/shipping contact ...

Cross site scripting

An XSS issue was discovered in CremeCRM 1.6.12. It is affected by 10 stored Cross-Site Scripting XSS vulnerabilities in the firstname, lastname, billingaddress-address, billingaddress-zipcode, billingaddress-city, billingaddress-department, shippingaddress-address, shippingaddress-zipcode,...