Packagist (Composer) package
krayin/laravel-crm
pkg:composer/krayin/laravel-crm
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-36341 | Med | 5.4 | >= 2.1.5, < 2.1.6 | 2.1.6 | May 7, 2026 | Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint | |
| CVE-2026-36340 | Hig | 8.1 | >= 2.1.5, < 2.1.6 | 2.1.6 | Apr 30, 2026 | An issue in Krayin CRM v.2.1.5 and fixed in v.2.1.6 allows a remote attacker to execute arbitrary code via the compose email function | |
| CVE-2026-38532 | Hig | 8.1 | <= 2.2.0 | — | Apr 14, 2026 | A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request. | |
| CVE-2026-38530 | Hig | 8.1 | <= 2.2.0 | — | Apr 14, 2026 | A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request. | |
| CVE-2026-38529 | Hig | 8.8 | <= 2.2.0 | — | Apr 14, 2026 | A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request. | |
| CVE-2026-38527 | Hig | 8.5 | <= 2.2.0 | — | Apr 14, 2026 | A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request. | |
| CVE-2026-5370 | Low | 3.5 | <= 2.2.0 | — | Apr 2, 2026 | A vulnerability was identified in krayin laravel-crm up to 2.2. Impacted is the function composeMail of the file packages/Webkul/Admin/tests/e2e-pw/tests/mail/inbox.spec.ts of the component Activities Module/Notes Module. The manipulation leads to cross site scripting. Remote exp | |
| CVE-2024-45932 | — | <= 1.3.0 | — | Oct 7, 2024 | Krayin CRM v1.3.0 is vulnerable to Cross Site Scripting (XSS) via the organization name field in /admin/contacts/organizations/edit/2. | ||
| CVE-2021-41924 | — | < 1.2.2 | 1.2.2 | Jun 21, 2022 | Webkul krayin crm before 1.2.2 is vulnerable to Cross Site Scripting (XSS). |
- affected >= 2.1.5, < 2.1.6fixed 2.1.6
Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint
- affected >= 2.1.5, < 2.1.6fixed 2.1.6
An issue in Krayin CRM v.2.1.5 and fixed in v.2.1.6 allows a remote attacker to execute arbitrary code via the compose email function
- affected <= 2.2.0
A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request.
- affected <= 2.2.0
A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request.
- affected <= 2.2.0
A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request.
- affected <= 2.2.0
A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request.
- affected <= 2.2.0
A vulnerability was identified in krayin laravel-crm up to 2.2. Impacted is the function composeMail of the file packages/Webkul/Admin/tests/e2e-pw/tests/mail/inbox.spec.ts of the component Activities Module/Notes Module. The manipulation leads to cross site scripting. Remote exp
- CVE-2024-45932Oct 7, 2024affected <= 1.3.0
Krayin CRM v1.3.0 is vulnerable to Cross Site Scripting (XSS) via the organization name field in /admin/contacts/organizations/edit/2.
- CVE-2021-41924Jun 21, 2022affected < 1.2.2fixed 1.2.2
Webkul krayin crm before 1.2.2 is vulnerable to Cross Site Scripting (XSS).