Skip to main content

Webkul Krayin CRM CVE-2026-36341

| EUVDEUVD-2026-28390 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-07 cve@mitre.org GHSA-j822-46r5-h4qx
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
May 07, 2026 - 18:45 vuln.today
Analysis Generated
May 07, 2026 - 18:45 vuln.today
CVSS changed
May 07, 2026 - 17:22 NVD
5.4 (MEDIUM)
CVE Published
May 07, 2026 - 16:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 07, 2026 - 16:16 nvd
MEDIUM 5.4

DescriptionCVE.org

Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint

AnalysisAI

Stored cross-site scripting (XSS) in Webkul Krayin CRM v2.1.5 allows authenticated users to inject malicious scripts via unsanitized input in the Activity comment field on the /admin/activities/create endpoint, which execute when viewed by other administrators. The vulnerability requires user interaction (viewing the compromised activity) and authenticated access, limiting scope to C (confidentiality) and I (integrity) with partial impact; publicly available proof-of-concept code exists but exploitation is not confirmed in the wild. Fixed in version v2.1.6 via application of input sanitization using strip_tags() across multiple vulnerable Blade templates.

Technical ContextAI

Webkul Krayin CRM is a Laravel-based customer relationship management platform. The vulnerability stems from inadequate input validation and output encoding in Blade template rendering. User-supplied data (names, titles, subjects, and comments) is passed directly to @lang() translation functions or {{ }} output constructs without sanitization, allowing HTML and JavaScript injection. The fix applies strip_tags() function during template rendering to remove HTML tags from user-controlled variables before display. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), a failure to encode or filter user input at the output layer. Multiple templates were affected: contacts/persons/view.blade.php, leads/view.blade.php, products/view.blade.php, configuration/edit.blade.php, mail/view.blade.php, and settings components, indicating systemic lack of output encoding across the codebase.

RemediationAI

Upgrade to Webkul Krayin CRM v2.1.6 or later immediately, which applies strip_tags() sanitization across all vulnerable Blade templates (confirmed via GitHub PR #2401). For deployments unable to upgrade immediately, restrict admin panel access to trusted internal users only via network segmentation or IP whitelisting on the /admin/activities/create endpoint, and disable Activity comment functionality if not essential. Additionally, implement Content Security Policy (CSP) headers with script-src 'self' to mitigate stored XSS payload execution in the browser as a compensating control, though this does not prevent injection. Monitor admin user activity logs for suspicious activity creation or comments containing HTML/JavaScript syntax. Apply the patch at https://github.com/krayin/laravel-crm/pull/2401 via version upgrade; manual patch application is not recommended due to complexity of template changes across multiple files.

Share

CVE-2026-36341 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy