Lucene search
+L

156 matches found

OSV
OSV
added last week3 views

CVE-2026-61460 Krayin CRM Insecure Direct Object Reference via Controllers

Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, or delete records owned by other users. Attackers can modify CR...

8.7CVSS6.1AI score0.0028EPSS
Exploits0References6
Cvelist
Cvelist
added last week33 views

CVE-2026-61460 Krayin CRM Insecure Direct Object Reference via Controllers

Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, or delete records owned by other users. Attackers can modify CR...

8.8CVSS0.0028EPSS
Exploits0References3
CVE
CVE
added last week8 views

CVE-2026-61460

Krayin CRM up to version 2.2.3 is affected by an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController. The root cause is missing record-level ownership validation in edit, update, and destroy methods, e...

8.8CVSS6.1AI score0.0028EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/05 7:48 p.m.10 views

CVE-2026-36341

Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...

5.4CVSS5.5AI score0.0021EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:48 p.m.11 views

CVE-2026-36340

An issue in Krayin CRM v.2.1.5 and fixed in v.2.1.6 allows a remote attacker to execute arbitrary code via the compose email function...

8.1CVSS6AI score0.00567EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.12 views

CVE-2026-38532

A Broken Object-Level Authorization BOLA in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request...

8.1CVSS5.5AI score0.00351EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.11 views

CVE-2026-38529

A Broken Object-Level Authorization BOLA in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request...

8.8CVSS5.5AI score0.00624EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.12 views

CVE-2026-38527

A Server-Side Request Forgery SSRF in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request...

8.5CVSS5.5AI score0.00249EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.11 views

CVE-2026-38528

Krayin CRM v2.2.x was discovered to contain a SQL injection vulnerability via the rottenlead parameter at /Lead/LeadDataGrid.php...

7.1CVSS5.6AI score0.00191EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.11 views

CVE-2026-38530

A Broken Object-Level Authorization BOLA in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request...

8.1CVSS5.5AI score0.00351EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.13 views

CVE-2026-38526

An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file...

9.9CVSS6AI score0.02759EPSS
Exploits11References1
GithubExploit
GithubExploit
added 2026/05/16 6:51 p.m.248 views

Exploit for CVE-2026-38526

CVE-2026-38526 | Krayin CRM v2.2.x Authenticated RCE - Unrestr...

9.9CVSS6.5AI score0.02759EPSS
Exploits11
OSV
OSV
added 2026/05/07 6:30 p.m.6 views

GHSA-J822-46R5-H4QX Webkul Krayin CRM is Vulnerable to Cross-Site Scripting in the /admin/activities/create endpoint

Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...

5.4CVSS5.8AI score0.0021EPSS
Exploits0References8
EUVD
EUVD
added 2026/05/07 6:30 p.m.15 views

EUVD-2026-28390

Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...

5.4CVSS5.8AI score0.0021EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/05/07 6:30 p.m.15 views

Webkul Krayin CRM is Vulnerable to Cross-Site Scripting in the /admin/activities/create endpoint

Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...

5.4CVSS5.8AI score0.0021EPSS
Exploits0References8Affected Software1
Snyk
Snyk
added 2026/05/07 5:35 p.m.9 views

Cross-site Scripting (XSS)

Overview krayin/laravel-crm is a hand tailored CRM framework built on some of the hottest opensource technologies such as Laravel a PHP framework and Vue.js a progressive Javascript framework. Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized input in th...

6.1CVSS5.8AI score0.0021EPSS
Exploits0References2
NVD
NVD
added 2026/05/07 4:16 p.m.25 views

CVE-2026-36341

Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...

5.4CVSS0.0021EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/07 12:0 a.m.30 views

CVE-2026-36341

Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...

0.0021EPSS
Exploits0References5
OSV
OSV
added 2026/05/07 12:0 a.m.6 views

CVE-2026-36341

Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...

5.4CVSS5.9AI score0.0021EPSS
Exploits0References7
CVE
CVE
added 2026/05/07 12:0 a.m.18 views

CVE-2026-36341

CVE-2026-36341 : Webkul Krayin CRM 2.1.5 contains a Cross-Site Scripting (XSS) flaw in the comment input during Activity creation via the /admin/activities/create endpoint. The root cause is inadequate sanitization of user-supplied input in the comment field. The CVSS v3.1 base score is 5.4 (Medi...

5.4CVSS5.8AI score0.0021EPSS
Exploits0References5
Rows per page
Query Builder