Krayin CRM
by Webkul
Source repositories
CVEs (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-38526 | Cri | 0.64 | 9.9 | 0.01 | Apr 14, 2026 | An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file. | ||
| CVE-2026-38529 | Hig | 0.57 | 8.8 | 0.01 | Apr 14, 2026 | A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request. | ||
| CVE-2026-38532 | Hig | 0.53 | 8.1 | 0.00 | Apr 14, 2026 | A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request. | ||
| CVE-2026-38530 | Hig | 0.53 | 8.1 | 0.00 | Apr 14, 2026 | A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request. | ||
| CVE-2025-3568 | 0.00 | — | 0.00 | Apr 14, 2025 | A vulnerability has been found in Webkul Krayin CRM up to 2.1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/settings/users/edit/ of the component SVG File Handler. The manipulation leads to cross site scripting.… | |||
| CVE-2024-46366 | 0.00 | — | 0.00 | Sep 27, 2024 | A Client-side Template Injection (CSTI) vulnerability in Webkul Krayin CRM 1.3.0 allows remote attackers to execute arbitrary client-side template code by injecting a malicious payload during the lead creation process. This can lead to privilege escalation when the payload is… | |||
| CVE-2024-46367 | 0.00 | — | 0.00 | Sep 27, 2024 | A Stored Cross-Site Scripting (XSS) vulnerability in Webkul Krayin CRM 1.3.0 allows remote attackers to inject arbitrary JavaScript code by submitting a malicious payload within the username field. This can lead to privilege escalation when the payload is executed, granting the… | |||
| CVE-2023-2925 | 0.00 | — | 0.01 | May 27, 2023 | A vulnerability, which was classified as problematic, was found in Webkul krayin crm 1.2.4. This affects an unknown part of the file /admin/contacts/organizations/edit/2 of the component Edit Person Page. The manipulation of the argument Organization leads to cross site… | |||
| CVE-2021-41924 | 0.00 | — | 0.01 | Jun 21, 2022 | Webkul krayin crm before 1.2.2 is vulnerable to Cross Site Scripting (XSS). |
- risk 0.64cvss 9.9epss 0.01
An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file.
- risk 0.57cvss 8.8epss 0.01
A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request.
- risk 0.53cvss 8.1epss 0.00
A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request.
- risk 0.53cvss 8.1epss 0.00
A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request.
- CVE-2025-3568Apr 14, 2025risk 0.00cvss —epss 0.00
A vulnerability has been found in Webkul Krayin CRM up to 2.1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/settings/users/edit/ of the component SVG File Handler. The manipulation leads to cross site scripting.…
- CVE-2024-46366Sep 27, 2024risk 0.00cvss —epss 0.00
A Client-side Template Injection (CSTI) vulnerability in Webkul Krayin CRM 1.3.0 allows remote attackers to execute arbitrary client-side template code by injecting a malicious payload during the lead creation process. This can lead to privilege escalation when the payload is…
- CVE-2024-46367Sep 27, 2024risk 0.00cvss —epss 0.00
A Stored Cross-Site Scripting (XSS) vulnerability in Webkul Krayin CRM 1.3.0 allows remote attackers to inject arbitrary JavaScript code by submitting a malicious payload within the username field. This can lead to privilege escalation when the payload is executed, granting the…
- CVE-2023-2925May 27, 2023risk 0.00cvss —epss 0.01
A vulnerability, which was classified as problematic, was found in Webkul krayin crm 1.2.4. This affects an unknown part of the file /admin/contacts/organizations/edit/2 of the component Edit Person Page. The manipulation of the argument Organization leads to cross site…
- CVE-2021-41924Jun 21, 2022risk 0.00cvss —epss 0.01
Webkul krayin crm before 1.2.2 is vulnerable to Cross Site Scripting (XSS).