VYPR
← All advisories
Medium severity5.4NVD Advisory· Published May 7, 2026· Updated May 7, 2026

CVE-2026-36341

CVE-2026-36341

Description

Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
krayin/laravel-crmPackagist
>= 2.1.5, < 2.1.62.1.6

Affected products

1

Patches

1
fc467040de21

Merge pull request #2401 from VikassWebkul214254/2.1

https://github.com/krayin/laravel-crmVikas VishwakarmaDec 23, 2025via ghsa
commit
9 files changed · +11 17
  • packages/Webkul/Admin/src/Resources/views/components/layouts/index.blade.php+1 1 modified
    @@ -10,7 +10,7 @@ class="{{ request()->cookie('dark_mode') ? 'dark' : '' }}"
 
     {!! view_render_event('admin.layout.head.before') !!}
 
-    <title>{{ $title ?? '' }}</title>
+    <title>{{ $title }}</title>
 
     <meta charset="UTF-8">
  • packages/Webkul/Admin/src/Resources/views/configuration/edit.blade.php+3 1 modified
    @@ -1,10 +1,12 @@
 @php
     $activeConfiguration = system_config()->getActiveConfigurationItem();
+
+    $name = $activeConfiguration->getName();
 @endphp
 
 <x-admin::layouts>
     <x-slot:title>
-        {{ $name = $activeConfiguration->getName() }}
+        {{ strip_tags($name) }}
     </x-slot>
 
     {!! view_render_event('admin.configuration.edit.form_controls.before') !!}
  • packages/Webkul/Admin/src/Resources/views/contacts/persons/view.blade.php+1 1 modified
    @@ -1,6 +1,6 @@
 <x-admin::layouts>
     <x-slot:title>
-        @lang('admin::app.contacts.persons.view.title', ['name' => $person->name])
+        @lang('admin::app.contacts.persons.view.title', ['name' => strip_tags($person->name)])
     </x-slot>
 
     <!-- Content -->
  • packages/Webkul/Admin/src/Resources/views/leads/view.blade.php+2 1 modified
    @@ -1,10 +1,11 @@
 <x-admin::layouts>
     <x-slot:title>
-        @lang('admin::app.leads.view.title', ['title' => $lead->title])
+        @lang('admin::app.leads.view.title', ['title' => strip_tags($lead->title)])
     </x-slot>
 
     <!-- Content -->
     <div class="relative flex gap-4 max-lg:flex-wrap">
+
         <!-- Left Panel -->
         {!! view_render_event('admin.leads.view.left.before', ['lead' => $lead]) !!}
  • packages/Webkul/Admin/src/Resources/views/mail/view.blade.php+1 9 modified
    @@ -8,7 +8,7 @@
 
 <x-admin::layouts>
     <x-slot:title>
-        @lang('admin::app.mail.view.subject', ['subject' => $email->subject])
+        @lang('admin::app.mail.view.subject', ['subject' => strip_tags($email->subject)])
     </x-slot>
 
     <div class="flex flex-col gap-4">
@@ -1342,14 +1342,6 @@ class="primary-button"
                         }
 
                         if (this.getActionType == 'reply-all') {
-                            console.log(this.action.email);
-
-                            console.log([
-                                this.action.email.from,
-                                ...(this.action.email?.cc || []),
-                                ...(this.action.email?.bcc || []),
-                            ]);
-
                             return [
                                 this.action.email.from,
                                 ...(this.action.email?.cc || []),
  • packages/Webkul/Admin/src/Resources/views/products/view.blade.php+1 1 modified
    @@ -1,6 +1,6 @@
 <x-admin::layouts>
     <x-slot:title>
-        @lang ($product->name)
+        {{ strip_tags($product->name) }}
     </x-slot>
 
     <!-- Content -->
  • packages/Webkul/Admin/src/Resources/views/settings/warehouses/view.blade.php+1 1 modified
    @@ -1,6 +1,6 @@
 <x-admin::layouts>
     <x-slot:title>
-        @lang ($warehouse->name)
+        {{ strip_tags($warehouse->name) }}
     </x-slot>
 
     <div class="flex gap-4 max-lg:flex-wrap">
  • packages/Webkul/Admin/src/Resources/views/settings/workflows/create.blade.php+0 1 modified
    @@ -1233,7 +1233,6 @@ class="icon-delete cursor-pointer rounded-md p-1.5 text-2xl transition-all hover
                             this.action.value = '';
                         }
 
-                        console.log("matchedAttribute", matchedAttribute);
                         return matchedAttribute;
                     },
                 },
  • packages/Webkul/WebForm/src/Resources/views/settings/web-forms/preview.blade.php+1 1 modified
    @@ -1,6 +1,6 @@
 <x-web_form::layouts>
     <x-slot:title>
-        {{ $webForm->title }}
+        {{ strip_tags($webForm->title) }}
     </x-slot>
 
     <!-- Web Form -->

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

0

No linked articles in our index yet.