Is there a public PoC exploit available for CVE-2026-6651?

Yes, a public proof-of-concept exploit is available for CVE-2026-6651. Prioritise patching immediately. EPSS: 0.0%.

Erp Online CVE-2026-6651

Q: What is the CVSS score of CVE-2026-6651?

CVE-2026-6651 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-23877 LOW

Cross-site Scripting (XSS) (CWE-79)

2026-04-20 VulDB

GHSA-82p8-693h-j5x5

XSS Erp Online

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:12 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:12 NVD

4.8 (MEDIUM) 1.9 (LOW)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

Severity Changed

Apr 20, 2026 - 16:22 NVD

LOW MEDIUM

CVSS changed

Apr 20, 2026 - 16:22 NVD

2.4 (LOW) 4.8 (MEDIUM)

Analysis Generated

Apr 20, 2026 - 15:51 vuln.today

EUVD ID Assigned

Apr 20, 2026 - 15:15 euvd

EUVD-2026-23877

Analysis Generated

Apr 20, 2026 - 15:15 vuln.today

CVE Published

Apr 20, 2026 - 14:45 nvd

LOW 1.9

DescriptionCVE.org

A security flaw has been discovered in erponline.xyz ERP Online up to 4.0.0. This vulnerability affects unknown code of the component Inventory Edit Item Page. The manipulation of the argument Item Name results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Cross-site scripting (XSS) in erponline.xyz ERP Online up to version 4.0.0 allows authenticated attackers with high privileges to inject malicious scripts via the Item Name parameter on the Inventory Edit Item Page, requiring user interaction to execute. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification, leaving affected deployments without a patched remediation path.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Acquire high-privilege credentials via phishing

Delivery

Authenticate to ERP Online admin panel

Exploit

Navigate to Inventory Edit Item Page

Install

Inject JavaScript in Item Name field

Submit malicious item entry

Execute

Victim views item record

Impact

XSS payload executes in victim browser