Laravel CRM
by Krayin
Source repositories
CVEs (6)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-38526 | Cri | 0.64 | 9.9 | 0.00 | Apr 14, 2026 | An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file. | |
| CVE-2026-38527 | Hig | 0.55 | 8.5 | 0.00 | Apr 14, 2026 | A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request. | |
| CVE-2026-36340 | Hig | 0.53 | 8.1 | 0.00 | Apr 30, 2026 | An issue in Krayin CRM v.2.1.5 and fixed in v.2.1.6 allows a remote attacker to execute arbitrary code via the compose email function | |
| CVE-2026-38528 | Hig | 0.46 | 7.1 | 0.00 | Apr 14, 2026 | Krayin CRM v2.2.x was discovered to contain a SQL injection vulnerability via the rotten_lead parameter at /Lead/LeadDataGrid.php. | |
| CVE-2026-36341 | Med | 0.28 | 5.4 | 0.00 | May 7, 2026 | Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint | |
| CVE-2026-5370 | Low | 0.16 | 3.5 | 0.00 | Apr 2, 2026 | A vulnerability was identified in krayin laravel-crm up to 2.2. Impacted is the function composeMail of the file packages/Webkul/Admin/tests/e2e-pw/tests/mail/inbox.spec.ts of the component Activities Module/Notes Module. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is 73ed28d466bf14787fdb86a120c656a4af270153. To fix this issue, it is recommended to deploy a patch. |
- risk 0.64cvss 9.9epss 0.00
An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file.
- risk 0.55cvss 8.5epss 0.00
A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request.
- risk 0.53cvss 8.1epss 0.00
An issue in Krayin CRM v.2.1.5 and fixed in v.2.1.6 allows a remote attacker to execute arbitrary code via the compose email function
- risk 0.46cvss 7.1epss 0.00
Krayin CRM v2.2.x was discovered to contain a SQL injection vulnerability via the rotten_lead parameter at /Lead/LeadDataGrid.php.
- risk 0.28cvss 5.4epss 0.00
Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint
- risk 0.16cvss 3.5epss 0.00
A vulnerability was identified in krayin laravel-crm up to 2.2. Impacted is the function composeMail of the file packages/Webkul/Admin/tests/e2e-pw/tests/mail/inbox.spec.ts of the component Activities Module/Notes Module. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is 73ed28d466bf14787fdb86a120c656a4af270153. To fix this issue, it is recommended to deploy a patch.