VYPR

Krayin CRM

by Webkul

Source repositories

CVEs (9)

  • CVE-2026-38526CriApr 14, 2026
    risk 0.64cvss 9.9epss 0.01

    An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file.

  • CVE-2026-38529HigApr 14, 2026
    risk 0.57cvss 8.8epss 0.01

    A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request.

  • CVE-2026-38532HigApr 14, 2026
    risk 0.53cvss 8.1epss 0.00

    A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request.

  • CVE-2026-38530HigApr 14, 2026
    risk 0.53cvss 8.1epss 0.00

    A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request.

  • CVE-2025-3568Apr 14, 2025
    risk 0.00cvss epss 0.00

    A vulnerability has been found in Webkul Krayin CRM up to 2.1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/settings/users/edit/ of the component SVG File Handler. The manipulation leads to cross site scripting.…

  • CVE-2024-46366Sep 27, 2024
    risk 0.00cvss epss 0.00

    A Client-side Template Injection (CSTI) vulnerability in Webkul Krayin CRM 1.3.0 allows remote attackers to execute arbitrary client-side template code by injecting a malicious payload during the lead creation process. This can lead to privilege escalation when the payload is…

  • CVE-2024-46367Sep 27, 2024
    risk 0.00cvss epss 0.00

    A Stored Cross-Site Scripting (XSS) vulnerability in Webkul Krayin CRM 1.3.0 allows remote attackers to inject arbitrary JavaScript code by submitting a malicious payload within the username field. This can lead to privilege escalation when the payload is executed, granting the…

  • CVE-2023-2925May 27, 2023
    risk 0.00cvss epss 0.01

    A vulnerability, which was classified as problematic, was found in Webkul krayin crm 1.2.4. This affects an unknown part of the file /admin/contacts/organizations/edit/2 of the component Edit Person Page. The manipulation of the argument Organization leads to cross site…

  • CVE-2021-41924Jun 21, 2022
    risk 0.00cvss epss 0.01

    Webkul krayin crm before 1.2.2 is vulnerable to Cross Site Scripting (XSS).