CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Nuclei•added yesterday•20 views

Vtiger CRM v7.2.0 - Directory Listing

Vtiger CRM v7.2.0 contains a directory traversal vulnerability caused by improper access controls in /libraries and /layout directories, letting attackers display hidden files and list directories, exploit requires no authentication. id: CVE-2020-19363 info: name: Vtiger CRM v7.2.0 - Directory...

6.5CVSS6.5AI score0.06148EPSS

Exploits1References2

Nuclei•added yesterday•23 views

CRM Perks Forms < 1.1.1 - Cross Site Scripting

The plugin does not sanitise and escape some parameters from a sample file before outputting them back in the page, leading to Reflected Cross-Site Scripting id: CVE-2022-38467 info: name: CRM Perks Forms 1.1.1 - Cross Site Scripting author: r3Y3r53 severity: medium description: | The plugin does...

6.1CVSS6.3AI score0.12129EPSS

Vulnrichment•added yesterday•2 views

CVE-2026-11619 Dolibarr ERP CRM Legacy Filemanager config.inc.php improper authorization

6.5CVSS6.1AI score0.00042EPSS

Exploits0References6

RedhatCVE•added 2 days ago•6 views

CVE-2026-11456

A vulnerability was identified in Chanjet CRM 1.0. This affects an unknown part of the file /tools/jxfdumpsystable.php of the component HTTP GET Request Handler. Such manipulation of the argument gblOrgID leads to sql injection. The attack may be launched remotely. The exploit is publicly availab...

Nuclei•added 2 days ago•11 views

CRM Perks Forms <= 1.1.4 - SQL Injection

CRM Perks CRM Perks Forms affected versions 1.1.4 and earlier contains a SQL injection caused by improper neutralization of special elements used in an SQL command, letting attackers execute arbitrary SQL commands, exploit requires user interaction. id: CVE-2024-30498 info: name: CRM Perks Forms ...

10CVSS8.2AI score0.14998EPSS

Exploits0References3

NVD•added 3 days ago•8 views

CVE-2026-11456

7.5CVSS0.0003EPSS

ATTACKERKB•added 3 days ago•7 views

CVE-2026-11456

Exploits0References5Affected Software1

Vulnrichment•added 3 days ago•3 views

CVE-2026-11456 Chanjet CRM HTTP GET Request jxf_dump_systable.php sql injection

EUVD•added 3 days ago•11 views

EUVD-2026-34986

Positive Technologies•added 3 days ago•10 views

PT-2026-47178

A vulnerability was identified in Chanjet CRM 1.0. This affects an unknown part of the file /tools/jxf dump systable.php of the component HTTP GET Request Handler. Such manipulation of the argument gblOrgID leads to sql injection. The attack may be launched remotely. The exploit is publicly...

Vulnrichment•added 4 days ago•5 views

Exploits0References6

CVE-2026-8901 Integration for Freshsales <= 1.0.15 - Unauthenticated Stored Cross-Site Scripting via Form Submission Data

The Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Form Submission Data in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This make...

7.2CVSS5.7AI score0.00163EPSS

Exploits0References10

RedhatCVE•added 5 days ago•4 views

CVE-2026-36341

Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...

5.4CVSS5.5AI score0.00038EPSS

RedhatCVE•added 5 days ago•6 views

CVE-2026-6628

A flaw has been found in phili67 Ecclesia CRM up to 8.0.0. This affects the function ValidateInput of the file /v2/query/view/ of the component Query Viewer Component. This manipulation of the argument custom causes sql injection. The attack can be initiated remotely. The exploit has been publish...

6.5CVSS6.3AI score0.00034EPSS

RedhatCVE•added 5 days ago•6 views

CVE-2026-35451

Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting XSS vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: U...

5.7CVSS5.8AI score0.00043EPSS

RedhatCVE•added 5 days ago•6 views

CVE-2026-38532

A Broken Object-Level Authorization BOLA in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request...

8.1CVSS5.5AI score0.00038EPSS

RedhatCVE•added 5 days ago•8 views

CVE-2026-38527

A Server-Side Request Forgery SSRF in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request...

8.5CVSS5.5AI score0.00036EPSS

Exploits1References1

RedhatCVE•added 5 days ago•7 views

CVE-2026-38529

A Broken Object-Level Authorization BOLA in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request...

8.8CVSS5.5AI score0.00064EPSS

RedhatCVE•added 5 days ago•4 views

CVE-2026-38530

A Broken Object-Level Authorization BOLA in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request...

8.1CVSS5.5AI score0.00038EPSS

RedhatCVE•added 5 days ago•5 views

CVE-2026-38526

An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file...

9.9CVSS6AI score0.00024EPSS