VYPR
Vendor

Perfexcrm

Products
3
CVEs
9
Across products
11
Status
Private

Products

3

Recent CVEs

9
  • CVE-2017-17976CriJan 26, 2018
    risk 0.68cvss 9.8epss 0.13

    In Utilities.php in Perfex CRM 1.9.7, Unrestricted file upload can lead to remote code execution.

  • CVE-2025-55903HigOct 10, 2025
    risk 0.54cvss 8.3epss 0.00

    A HTML injection vulnerability exists in Perfex CRM v3.3.1. The application fails to sanitize user input in the "Bill To" address field within the estimate module. As a result, arbitrary HTML can be injected and rendered unescaped in client-facing documents.

  • CVE-2024-56908MedFeb 13, 2025
    risk 0.44cvss 6.8epss 0.01

    In Perfex Crm < 3.2.1, an authenticated attacker can send a crafted HTTP POST request to the affected upload_sales_file endpoint. By providing malicious input in the rel_id parameter, combined with improper input validation, the attacker can bypass restrictions and upload…

  • CVE-2026-7782MedMay 4, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was detected in CodeCanyon Perfex CRM up to 3.4.1. This affects the function Clients::project of the file application/controllers/Clients.php of the component Tenant Handler. The manipulation of the argument ID results in authorization bypass. The attack may be…

  • CVE-2025-10346Sep 29, 2025
    risk 0.00cvss epss 0.00

    HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'subject' at the endpoint 'knoewledge_base/article'.

  • CVE-2024-8867Sep 15, 2024
    risk 0.00cvss epss 0.00

    A vulnerability was found in Perfex CRM 3.1.6. It has been declared as problematic. This vulnerability affects unknown code of the file application/controllers/Clients.php of the component Parameter Handler. The manipulation of the argument message leads to cross site scripting.…

  • CVE-2024-44851Sep 11, 2024
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability in the Discussion section of Perfex CRM v1.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Content parameter.

  • CVE-2021-40303Nov 8, 2022
    risk 0.00cvss epss 0.01

    perfex crm 1.10 is vulnerable to Cross Site Scripting (XSS) via /clients/profile.

  • CVE-2020-28961Oct 22, 2021
    risk 0.00cvss epss 0.01

    Perfex CRM v2.4.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component ./clients/client via the company name parameter.