Search
Search Results (9 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-36341 | 1 Krayin | 1 Laravel-crm | 2026-05-07 | 5.4 Medium |
| Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint | ||||
| CVE-2026-36340 | 1 Krayin | 1 Laravel-crm | 2026-05-02 | 8.1 High |
| An issue in Krayin CRM v.2.1.5 and fixed in v.2.1.6 allows a remote attacker to execute arbitrary code via the compose email function | ||||
| CVE-2026-5370 | 1 Krayin | 1 Laravel-crm | 2026-04-24 | 3.5 Low |
| A vulnerability was identified in krayin laravel-crm up to 2.2. Impacted is the function composeMail of the file packages/Webkul/Admin/tests/e2e-pw/tests/mail/inbox.spec.ts of the component Activities Module/Notes Module. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is 73ed28d466bf14787fdb86a120c656a4af270153. To fix this issue, it is recommended to deploy a patch. | ||||
| CVE-2026-38529 | 2 Krayin, Webkul | 2 Laravel-crm, Krayin Crm | 2026-04-23 | 8.8 High |
| A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request. | ||||
| CVE-2026-38530 | 2 Krayin, Webkul | 2 Laravel-crm, Krayin Crm | 2026-04-23 | 8.1 High |
| A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request. | ||||
| CVE-2026-38532 | 2 Krayin, Webkul | 2 Laravel-crm, Krayin Crm | 2026-04-23 | 8.1 High |
| A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request. | ||||
| CVE-2026-38527 | 1 Krayin | 1 Laravel-crm | 2026-04-17 | 8.5 High |
| A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request. | ||||
| CVE-2026-38528 | 1 Krayin | 1 Laravel-crm | 2026-04-17 | 7.1 High |
| Krayin CRM v2.2.x was discovered to contain a SQL injection vulnerability via the rotten_lead parameter at /Lead/LeadDataGrid.php. | ||||
| CVE-2026-38526 | 1 Krayin | 1 Laravel-crm | 2026-04-17 | 9.9 Critical |
| An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file. | ||||
Page 1 of 1.