Lucene search
+L

117 matches found

CVE
CVE
added 2026/07/10 6:24 p.m.9 views

CVE-2026-61460

Krayin CRM up to version 2.2.3 is affected by an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController. The root cause is missing record-level ownership validation in edit, update, and destroy methods, e...

8.8CVSS6.1AI score0.0028EPSS
Exploits0References3
OSV
OSV
added 2026/07/10 6:24 p.m.3 views

CVE-2026-61460 Krayin CRM Insecure Direct Object Reference via Controllers

Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, or delete records owned by other users. Attackers can modify CR...

8.7CVSS6.1AI score0.0028EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/07/10 6:24 p.m.35 views

CVE-2026-61460 Krayin CRM Insecure Direct Object Reference via Controllers

Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, or delete records owned by other users. Attackers can modify CR...

8.8CVSS0.0028EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/05 7:48 p.m.11 views

CVE-2026-36341

Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...

5.4CVSS5.5AI score0.0021EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.12 views

CVE-2026-38532

A Broken Object-Level Authorization BOLA in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request...

8.1CVSS5.5AI score0.00351EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.13 views

CVE-2026-38527

A Server-Side Request Forgery SSRF in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request...

8.5CVSS5.5AI score0.00249EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.12 views

CVE-2026-38529

A Broken Object-Level Authorization BOLA in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request...

8.8CVSS5.5AI score0.00624EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.11 views

CVE-2026-38530

A Broken Object-Level Authorization BOLA in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request...

8.1CVSS5.5AI score0.00351EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.13 views

CVE-2026-38526

An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file...

9.9CVSS6AI score0.02759EPSS
Exploits11References1
GithubExploit
GithubExploit
added 2026/05/16 6:51 p.m.251 views

Exploit for CVE-2026-38526

CVE-2026-38526 | Krayin CRM v2.2.x Authenticated RCE - Unrestr...

9.9CVSS6.5AI score0.02759EPSS
Exploits11
EUVD
EUVD
added 2026/05/07 6:30 p.m.17 views

EUVD-2026-28390

Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...

5.4CVSS5.8AI score0.0021EPSS
Exploits0References6
OSV
OSV
added 2026/05/07 6:30 p.m.6 views

GHSA-J822-46R5-H4QX Webkul Krayin CRM is Vulnerable to Cross-Site Scripting in the /admin/activities/create endpoint

Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...

5.4CVSS5.8AI score0.0021EPSS
Exploits0References8
Github Security Blog
Github Security Blog
added 2026/05/07 6:30 p.m.15 views

Webkul Krayin CRM is Vulnerable to Cross-Site Scripting in the /admin/activities/create endpoint

Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...

5.4CVSS5.8AI score0.0021EPSS
Exploits0References8Affected Software1
NVD
NVD
added 2026/05/07 4:16 p.m.26 views

CVE-2026-36341

Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...

5.4CVSS0.0021EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/07 12:0 a.m.30 views

CVE-2026-36341

Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...

0.0021EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/05/07 12:0 a.m.6 views

CVE-2026-36341

Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...

5.4CVSS5.8AI score0.0021EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/05/07 12:0 a.m.7 views

CVE-2026-36341

Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...

5.8AI score0.0021EPSS
Exploits0References5
OSV
OSV
added 2026/05/07 12:0 a.m.7 views

CVE-2026-36341

Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...

5.4CVSS5.9AI score0.0021EPSS
Exploits0References7
OSV
OSV
added 2026/04/30 6:30 p.m.12 views

GHSA-32PX-CCFX-CXQ3 Krayin CRM allows a remote attacker to execute arbitrary code via compose email function

An issue in Krayin CRM v.2.1.5, which was fixed in v.2.1.6 allows a remote attacker to execute arbitrary code via the compose email function...

8.1CVSS6.2AI score0.00567EPSS
Exploits1References5
NVD
NVD
added 2026/04/30 4:16 p.m.11 views

CVE-2026-36340

An issue in Krayin CRM v.2.1.5 and fixed in v.2.1.6 allows a remote attacker to execute arbitrary code via the compose email function...

8.1CVSS0.00567EPSS
Exploits1References3
Rows per page
Query Builder