Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A weakness has been identified in Devs Palace ERP Online up to 4.0.0. The affected element is an unknown function of the file /inventory/purchase_return_save. Executing a manipulation can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Cross-site scripting (XSS) vulnerability in Devs Palace ERP Online up to version 4.0.0 allows authenticated high-privilege users to inject malicious scripts via the /inventory/purchase_return_save endpoint. The vulnerability requires user interaction (UI:P) to trigger, and publicly available exploit code exists. The vendor has not responded to disclosure attempts, leaving affected installations without official guidance or patches.
Technical ContextAI
The vulnerability is a classic CWE-79 reflected or stored XSS flaw in the purchase return processing functionality of the ERP system. The affected endpoint /inventory/purchase_return_save fails to properly sanitize or encode user-supplied input before rendering it in responses or storing it in the database. ERP Online is a web-based enterprise resource planning application, and this specific function handles inventory purchase return transactions. The CVSS vector indicates the vulnerability requires high-level privileges (PR:H, likely administrative access) to exploit and necessitates user interaction (UI:P), suggesting the malicious payload must be crafted by the attacker and delivered to another user or administrator for activation, or the high-privilege user must be socially engineered into triggering the malicious input.
RemediationAI
No vendor-released patch identified at time of analysis, as the vendor has not responded to disclosure attempts. Immediate remediation options are limited to compensating controls: (1) Restrict access to the /inventory/purchase_return_save endpoint to only the users and IP addresses that genuinely require it, using web application firewall (WAF) rules or network access controls; side effect is reduced flexibility for remote inventory management. (2) Implement strict input validation and output encoding at the web server level using ModSecurity or similar WAF rulesets with XSS-specific signatures; this may block legitimate use cases if overly aggressive. (3) Disable the purchase return functionality entirely if not in active use, eliminating the attack surface. (4) Apply HTTP security headers (Content-Security-Policy, X-Frame-Options, X-Content-Type-Options) to mitigate XSS impact even if injection occurs. (5) Monitor administrator account activity and log all interactions with the /inventory/purchase_return_save endpoint for forensic detection of attacks. Given the vendor's non-responsiveness, consider evaluating alternative ERP platforms or requesting security updates directly from the vendor with a formal deadline. Reference: https://vuldb.com/vuln/362435
More in Erp Online
View allReflected cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged authenticated
Cross-site scripting (XSS) vulnerability in Devs Palace ERP Online versions up to 4.0.0 allows authenticated users with
Stored cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged users to inject m
Stored cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged authenticated use
Cross-site scripting (XSS) in erponline.xyz ERP Online up to version 4.0.0 allows authenticated attackers with high priv
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28954
GHSA-26gm-rrp5-38p4