Krayin CRM
Sign in to watchby Webkul
Source repositories
CVEs (3)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-38529 | Hig | 0.57 | 8.8 | 0.00 | Apr 14, 2026 | A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request. | |
| CVE-2026-38532 | Hig | 0.53 | 8.1 | 0.00 | Apr 14, 2026 | A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request. | |
| CVE-2026-38530 | Hig | 0.53 | 8.1 | 0.00 | Apr 14, 2026 | A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request. |