Vendor
Webkul
Products
4
CVEs
10
Across products
10
Status
Private
Products
4- 4 CVEs
- 3 CVEs
- 2 CVEs
- 1 CVE
Recent CVEs
10| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-38529 | Hig | 0.57 | 8.8 | 0.00 | Apr 14, 2026 | A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request. | |
| CVE-2026-38532 | Hig | 0.53 | 8.1 | 0.00 | Apr 14, 2026 | A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request. | |
| CVE-2026-38530 | Hig | 0.53 | 8.1 | 0.00 | Apr 14, 2026 | A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request. | |
| CVE-2025-6173 | Med | 0.31 | 4.7 | 0.00 | Jun 17, 2025 | A vulnerability classified as critical was found in Webkul QloApps 1.6.1. Affected by this vulnerability is an unknown functionality of the file /admin/ajax_products_list.php. The manipulation of the argument packItself leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor confirms the existence of this flaw but considers it a low-level issue due to admin privilege pre-requisites. Still, a fix is planned for a future release. | |
| CVE-2010-1659 | 0.03 | — | 0.04 | May 3, 2010 | Directory traversal vulnerability in the Ultimate Portfolio (com_ultimateportfolio) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. | ||
| CVE-2021-41074 | 0.00 | — | 0.00 | Jan 12, 2026 | A CSRF issue in index.php in QloApps hotel eCommerce 1.5.1 allows an attacker to change the admin's email address via a crafted HTML document. | ||
| CVE-2025-67325 | 0.00 | — | 0.00 | Jan 8, 2026 | Unrestricted file upload in the hotel review feature in QloApps versions 1.7.0 and earlier allows remote unauthenticated attackers to achieve remote code execution. | ||
| CVE-2025-10759 | 0.00 | — | 0.00 | Sep 21, 2025 | A vulnerability was detected in Webkul QloApps up to 1.7.0. This affects an unknown function of the component CSRF Token Handler. Performing manipulation of the argument token results in authorization bypass. The attack may be initiated remotely. The exploit is now public and may be used. The vendor explains: "As We are already aware about this vulnerability and our Internal team are already working on this issue. (...) We'll implement the fix for this vulnerability in our next major release." | ||
| CVE-2025-1155 | 0.00 | — | 0.00 | Feb 10, 2025 | A vulnerability, which was classified as problematic, was found in Webkul QloApps 1.6.1. This affects an unknown part of the file /stores of the component Your Location Search. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. It is planned to remove this page in the long term. | ||
| CVE-2025-1074 | 0.00 | — | 0.00 | Feb 6, 2025 | A vulnerability, which was classified as problematic, was found in Webkul QloApps 1.6.1. Affected is the function logout of the file /en/?mylogout of the component URL Handler. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure. They are aware about it and are working on resolving it. |