CVE-2019-10226
Description
HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI. NOTE: the vendor disputes the significance of this report because some HTML formatting (such as with an H1 element) is allowed, but there is a XSS protection mechanism.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated HTML injection vulnerability in Fat Free CRM v0.19.0 allows attackers to insert arbitrary HTML via the /comments endpoint, potentially enabling phishing or defacement.
CVE-2019-10226 describes an HTML injection vulnerability in Fat Free CRM v0.19.0. The issue resides in the comments functionality, where user-supplied input is not properly sanitized before being rendered. As a result, an authenticated user can submit arbitrary HTML tags, such as ` or `, which are then reflected in the comment view [2], [4].
To exploit this, an attacker must have a valid account on the CRM instance. They can then send a crafted POST request to the /comments endpoint with malicious HTML payload. The request must include a valid CSRF token, but the exploit-db PoC demonstrates the technique [4].
While the vendor disputes the severity because basic HTML formatting is allowed and an XSS protection mechanism is in place, the injection could still be used for phishing attacks or to alter the appearance of the page, potentially misleading users or leading to account compromise [2].
As of the report, the vulnerability was reported in v0.19.0. Users are advised to update to a later version or apply input validation to the comments feature. No official patch has been confirmed since the vendor considers the behavior acceptable [3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fat_free_crmRubyGems | <= 0.19.0 | — |
Affected products
2- Fat Free CRM/Fat Free CRMdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- www.exploit-db.com/exploits/46617/mitreexploit
- github.com/advisories/GHSA-gmg5-r3c4-3fm9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10226ghsaADVISORY
- packetstormsecurity.com/files/152263/Fat-Free-CRM-0.19.0-HTML-Injection.htmlghsaWEB
- apidock.com/rails/ActionView/Helpers/TextHelper/simple_formatghsaWEB
- github.com/fatfreecrm/fat_free_crm/blob/master/app/views/comments/_comment.html.hamlghsaWEB
- github.com/fatfreecrm/fat_free_crm/issues/1235ghsaWEB
- github.com/github/advisory-database/pull/3599ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/fat_free_crm/CVE-2019-10226.ymlghsaWEB
- www.exploit-db.com/exploits/46617ghsaWEB
News mentions
0No linked articles in our index yet.